Re: Data classification

[Melissa Guenther <mguenther () COX NET>]

Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, 
enhanced, stored, transmitted or discarded. The classification of the data should then determine the extent to which 
the data needs to be controlled / secured and is also indicative of its value in terms of University Assets. 

The classification of data and documents is essential if you are to differentiate between that which is a little (if 
any) value, and that which is highly sensitive and confidential. When data is stored, whether stored, transmitted, 
received, created, amended or discarded, it should always be classified into an appropriate sensitivity level. For 
many, a simple 4 scale grade will suffice as follows: - 

I.                    Not Classified
Requires no explanation or examples.



II.                  Operational/Eligible for Public Release
Available to employees for normal operational use. Available to the public based on appropriate request for disclosure 
of information.  

+ General financial data
+ Student directory data (non-opt out)
+ NetID
+ Non-confidential personnel data 


III.          Confidential

Information that the organization and its employees have a legal, regulatory, or social obligation to protect.  
Intended for use solely within defined groups in the organization.

+ Employee ID
+ Student ID
+ Employee benefit information
+ Student non-directory information



IV.            Restricted
Information intended solely for restricted use within the organization and is limited to those with an explicit, 
predetermined "need to know". Disclosure could result in severe personal or financial damage to individuals or the 
organization. 
+ SSN
+ Passwords/PINS
+ Credit card numbers
+ Digitized signatures
+ Encryption keys
+ Medical Records -- Employee/Student/Research Subject





----- Original Message ----- 
From: "Slade Griffin" <slade () UTK EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Monday, July 12, 2004 7:54 AM
Subject: [SECURITY] Data classification


> All,
>         Does anyone on this list deal with data classification?  If so I
> would like to discuss what levels or classifications are used in the edu
> community.  Thanks in advance.
>
> Slade Griffin
> ITSG
> University of Tennessee
> http://oit.utk.edu/infosec
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.