Re: Urgent - Quick Question about "Confidential" information classification and marking

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

Our basic data classification scheme:

Public
University Internal
Restricted (to certain individuals, by law or other reasons good enough,
essentially, to override our open data access policy). 

Our philosophy statement related to this:

"The value of data as an institutional resource is increased through its
widespread and appropriate use; its value is diminished through misuse,
misinterpretation, or unnecessary restrictions to its access."  See
http://datamgmt.iu.edu/ for access policy and related documents.

We don't do any classified research here, by Board decree, so we don't
have the government classification issue.  With the REN-ISAC building a
relationship with DHS, this may have to change though.

M.

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Moore
Sent: Friday, March 05, 2004 10:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Urgent - Quick Question about "Confidential"
information classification and marking


I am introducing the Institute to a information classification system.
Based on some things that I had read, and conversations with a seasoned
researcher, and the director of our technology licensing office, I had
gone with the category "RIT - Confidential" instead of "Confidential"
because of government sponsored researh issues.

This was my understanding:

1) If we have US Government sponsored research that is classified
"Confidential" and

2) If we use "Confidential" (Just like the U.S. Government)

Then

3) We have to protect all of data marked "Confidential" at the U.S.
Government Confidential level.

One of our directors basically said "Just write the contracts with the
government differently, and keep the information separate.

Question 1 - Is my understanding correct?
Question 2 - Can it be handled the way one of our directors suggests?
Question 3 - Should we go with RIT - Confidential anyways, because it is
more clear in communication?
Question 4 - What do you use?

Thanks

Jim

- - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Office: 585-475-5406
Fax: 585-475-7950

"In cases of defence 'tis best to weigh the enemy more mighty than he
seems" - William Shakespeare (Henry V, Act 2, Scene 4)

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.