Educause Security Discussion mailing list archives
Re: data classification
From: Jim Moore <jhmfa () RIT EDU>
Date: Tue, 27 May 2003 12:37:22 -0400
We are doing the same here. We came crossed Keep It Simple, with the need for expression. We have something simple like: 4 Classes: 1) Public 2) RIT - Internal Use Only 3) RIT - Confidential 4) Third Party Confidential We are careful not to use "Confidential" alone, as we have been advised that if we get US govt "Confidential" and make no distinction between ours and theirs, then we will have to protect the 2 the same. Thus the labelling of "RIT - Confidential" Underneath the classifications, we allow for a descriptor, that describes the reason for sensitivity, e.g. Student Record Data, Protected Health Information, Financial Information, HR Information, it doesn't have any requirements. People can get creative here. We can accomplish some backwards compatibility (we had some places that were already standardized on "Legally Mandated" and "Limited Access" for things that were confidential. So that now goes on the 2nd line. We allow for a 3rd classification line with a declassify / destroy line. These are all in the upper right. From a document/data integrity standpoint, we have: 1) Draft, Prototype, Unverified, ... in the upper left 2) "Page x of y" on center of the footer (documents) 3) In lower left, the file name 4) In the lower right, the date/time of last modification We apply the same classifications for web pages, portals and applications, except for the Page x of y and filename. The date/time of last modification becomes date/time of last update. We haven't decided on declassify / destroy line, it may be just on printouts from web or portals. There should be more on our website by July, it will be at http://security.rit.edu . Most of our webpages have a pre-release for reuse, (with the conditions as close to the GPL as our lawyers allow - actually very close ) Jim - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Fax: 585-475-7950 The significant problems we face cannot be solved at the same level of thinking we were at when we created them. -Albert Einstein- Ted Frohling wrote:
We are embarking on a security awareness campaign. The consultant we are working with has suggested that one of the ways we can get our arms around this subject with the campus is to have data classified into various types. I obviously have no let my fingers do the walking yet to see what's out there so I thought I just ask the question here. What are other campuses doing in the area of data classification in light of the educational function being a public institution, etc. thanks, ted -- Ted Frohling (TF30-ARIN) The University of Arizona 520.621.4834 Security Incident Response Team CCIT Room 126 tsf-at-Arizona.EDU CCIT - Network Operations PO Box 210073 www.Telcom.Arizona.EDU/tsf Tucson, AZ 85721-0073 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
-- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- data classification Ted Frohling (May 27)
- <Possible follow-ups>
- Re: data classification Jim Moore (May 27)
- Re: data classification Brian Reilly (May 27)
- Re: data classification Bruhn, Mark S. (May 28)
- Re: data classification Ted Frohling (May 28)
- Re: data classification Ted Frohling (May 28)
- Re: data classification Ted Frohling (May 28)