Re: Data classification

[Melissa Guenther <mguenther () COX NET>]

I apologize for the additional email - I accidentally hit send to soon as I also meant to send a "corporate world" 
sample.  Maybe some will find a balance between the two helpful.  I also think it is appropriate, since edu is a 
business.



This one has five levels. BTW - A classification matrix is a GREAT awareness tool and exercise!


      Data Classification 
       

      Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, 
amended, enhanced, stored, or transmitted. The classification of the data should then determine the extent to which the 
data needs to be controlled / secured and is also indicative of its value in terms of Business Assets. 

      The classification of data and documents is essential if you are to differentiate between that which is a little 
(if any) value, and that which is highly sensitive and confidential. When data is stored, whether received, created or 
amended, it should always be classified into an appropriate sensitivity level. For many organizations, a simple 5 scale 
grade will suffice as follows: - 

            Document / Data Classification 
           Description 
           
            Top Secret 
           Highly sensitive internal documents e.g. pending mergers or acquisitions; investment strategies; plans or 
designs; that could seriously damage the organization if such information were lost or made public. Information 
classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is 
the highest possible. 
           
            Highly Confidential 
           Information that, if made public or even shared around the organization, could seriously impede the 
organization's operations and is considered critical to its ongoing operations. Information would include accounting 
information, business plans, sensitive customer information of bank's, solicitors and accountants etc., patient's 
medical records and similar highly sensitive data. Such information should not be copied or removed from the 
organization's operational control without specific authority. Security at this level should be very high. 
           
            Proprietary 
           Information of a proprietary nature; procedures, operational work routines, project plans, designs and 
specifications that define the way in which the organization operates. Such information is normally for proprietary use 
to authorized personnel only. Security at this level is high. 
           
            Internal Use only 
           Information not approved for general circulation outside the organization where its loss would inconvenience 
the organization or management but where disclosure is unlikely to result in financial loss or serious damage to 
credibility. Examples would include, internal memos, minutes of meetings, internal project reports. Security at this 
level is controlled but normal. 
           
            Public Documents 
           Information in the public domain; annual reports, press statements etc.; which has been approved for public 
use. Security at this level is minimal. 
           

     

----- Original Message ----- 
From: "Slade Griffin" <slade () UTK EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Monday, July 12, 2004 7:54 AM
Subject: [SECURITY] Data classification


> All,
>         Does anyone on this list deal with data classification?  If so I
> would like to discuss what levels or classifications are used in the edu
> community.  Thanks in advance.
>
> Slade Griffin
> ITSG
> University of Tennessee
> http://oit.utk.edu/infosec
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.