Re: Data Classification: Legal criteria

[Ced Bennett <ced.bennett () STANFORD EDU>]

Brian -

You'll find some useful guidance in the Risk Assessment Framework on the
EDUCAUSE wiki.  Look at the two steps of Phase 0, Process 1 to find a very
simple, straightforward approach to this.  Also note a reference to an
example of what the outcome might look like for a typical institution.  The
URL for the framework is
https://wiki.internet2.edu/confluence/display/secguide/Risk+Assessment+Frame
work.  Scroll down to Phase 0 and you'll see the links to the two steps and
the example.

Ced Bennett
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cedric Bennett  Ph: 650 858-0883 Cell: 650 619-0145
 Emeritus Director, Information Security Services
Stanford University        Ced.Bennett () Stanford edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, March 18, 2008 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Classification: Legal criteria

 We are in the process of developing a data classification policy with
three types: public, internal, and confidential.

 The criteria or logic behind classifying confidential data is fairly
easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
data types. Yet, I am not clear on the best external criteria to use for
classification of internal data. Peer institutions, "best practices" is
one thought, but I'm wondering what other objective criteria people have
employed for the justification of making certain kinds of data internal
as opposed to public. Let me know, thanks.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College