Re: data classification

[Jim Moore <jhmfa () RIT EDU>]

We are doing the same here.  We came crossed Keep It Simple, with the
need for expression.

We have something simple like:
4 Classes:
1) Public
2) RIT - Internal Use Only
3) RIT - Confidential
4) Third Party Confidential

We are careful not to use "Confidential" alone, as we have been advised
that if we get US govt "Confidential" and make no distinction between
ours and theirs, then we will have to protect the 2 the same. Thus the
labelling of "RIT - Confidential"

Underneath the classifications, we allow for a descriptor, that
describes the reason for sensitivity, e.g. Student Record Data,
Protected Health Information, Financial Information, HR Information, it
doesn't have any requirements.  People can get creative here.  We can
accomplish some backwards compatibility (we had some places that were
already standardized on "Legally Mandated" and "Limited Access" for
things that were confidential.  So that now goes on the 2nd line.

We allow for a 3rd classification line with a declassify / destroy line.

These are all in the upper right.

From a document/data integrity standpoint, we have:
1) Draft, Prototype, Unverified, ...  in the upper left
2) "Page x of y" on center of the footer (documents)
3) In lower left, the file name
4) In the lower right, the date/time of last modification

We apply the same classifications for web pages, portals and
applications, except for the Page x of y and filename.  The date/time of
last modification becomes date/time of last update.  We haven't decided
on declassify / destroy line, it may be just on printouts from web or
portals.

There should be more on our website by July, it will be at
http://security.rit.edu . Most of our webpages have a pre-release for
reuse, (with the conditions as close to the GPL as our lawyers allow -
actually very close )

Jim
- - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Office: 585-475-5406
Fax: 585-475-7950

The significant problems we face cannot be solved at the same level of
thinking we were at when we created them. -Albert Einstein-


Ted Frohling wrote:
> We are embarking on a security awareness campaign.  The consultant
> we are working with has suggested that one of the ways we can get our
> arms around this subject with the campus is to have data classified into
> various types.
>
> I obviously have no let my fingers do the walking yet to see what's out
> there
> so I thought I just ask the question here.
>
> What are other campuses doing in the area of data classification in light
> of the educational function being a public institution, etc.
>
> thanks,
>
> ted
>
>
> --
>     Ted Frohling (TF30-ARIN)                   The University of Arizona
>     520.621.4834     Security Incident Response Team       CCIT Room 126
>     tsf-at-Arizona.EDU  CCIT - Network Operations          PO Box 210073
>     www.Telcom.Arizona.EDU/tsf                     Tucson, AZ 85721-0073
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.