Educause Security Discussion mailing list archives
Re: Data classification
From: Melissa Guenther <mguenther () COX NET>
Date: Mon, 12 Jul 2004 08:27:36 -0700
I apologize for the additional email - I accidentally hit send to soon as I also meant to send a "corporate world" sample. Maybe some will find a balance between the two helpful. I also think it is appropriate, since edu is a business. This one has five levels. BTW - A classification matrix is a GREAT awareness tool and exercise! Data Classification Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted. The classification of the data should then determine the extent to which the data needs to be controlled / secured and is also indicative of its value in terms of Business Assets. The classification of data and documents is essential if you are to differentiate between that which is a little (if any) value, and that which is highly sensitive and confidential. When data is stored, whether received, created or amended, it should always be classified into an appropriate sensitivity level. For many organizations, a simple 5 scale grade will suffice as follows: - Document / Data Classification Description Top Secret Highly sensitive internal documents e.g. pending mergers or acquisitions; investment strategies; plans or designs; that could seriously damage the organization if such information were lost or made public. Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible. Highly Confidential Information that, if made public or even shared around the organization, could seriously impede the organization's operations and is considered critical to its ongoing operations. Information would include accounting information, business plans, sensitive customer information of bank's, solicitors and accountants etc., patient's medical records and similar highly sensitive data. Such information should not be copied or removed from the organization's operational control without specific authority. Security at this level should be very high. Proprietary Information of a proprietary nature; procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for proprietary use to authorized personnel only. Security at this level is high. Internal Use only Information not approved for general circulation outside the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility. Examples would include, internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal. Public Documents Information in the public domain; annual reports, press statements etc.; which has been approved for public use. Security at this level is minimal. ----- Original Message ----- From: "Slade Griffin" <slade () UTK EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Monday, July 12, 2004 7:54 AM Subject: [SECURITY] Data classification
All, Does anyone on this list deal with data classification? If so I would like to discuss what levels or classifications are used in the edu community. Thanks in advance. Slade Griffin ITSG University of Tennessee http://oit.utk.edu/infosec ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Data classification Slade Griffin (Jul 12)
- <Possible follow-ups>
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Hedrick, Gregory W (Jul 12)
- Re: Data classification Bruhn, Mark S. (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Gary Flynn (Jul 12)
- Re: Data classification Brian Reilly (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Bruhn, Mark S. (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)