Educause Security Discussion mailing list archives
Re: Urgent - Quick Question about "Confidential" information classification and marking
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Fri, 5 Mar 2004 15:00:25 -0500
Our basic data classification scheme: Public University Internal Restricted (to certain individuals, by law or other reasons good enough, essentially, to override our open data access policy). Our philosophy statement related to this: "The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access." See http://datamgmt.iu.edu/ for access policy and related documents. We don't do any classified research here, by Board decree, so we don't have the government classification issue. With the REN-ISAC building a relationship with DHS, this may have to change though. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Moore Sent: Friday, March 05, 2004 10:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Urgent - Quick Question about "Confidential" information classification and marking I am introducing the Institute to a information classification system. Based on some things that I had read, and conversations with a seasoned researcher, and the director of our technology licensing office, I had gone with the category "RIT - Confidential" instead of "Confidential" because of government sponsored researh issues. This was my understanding: 1) If we have US Government sponsored research that is classified "Confidential" and 2) If we use "Confidential" (Just like the U.S. Government) Then 3) We have to protect all of data marked "Confidential" at the U.S. Government Confidential level. One of our directors basically said "Just write the contracts with the government differently, and keep the information separate. Question 1 - Is my understanding correct? Question 2 - Can it be handled the way one of our directors suggests? Question 3 - Should we go with RIT - Confidential anyways, because it is more clear in communication? Question 4 - What do you use? Thanks Jim - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Fax: 585-475-7950 "In cases of defence 'tis best to weigh the enemy more mighty than he seems" - William Shakespeare (Henry V, Act 2, Scene 4) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Urgent - Quick Question about "Confidential" information classification and marking Jim Moore (Mar 05)
- <Possible follow-ups>
- Re: Urgent - Quick Question about "Confidential" information classification and marking Bruhn, Mark S. (Mar 05)