Re: Data classification

[Melissa Guenther <mguenther () COX NET>]

Just one more example - this one uses and additional concept, i.e., Level of Importance - to support Business 
Continuity.

Level of Importance
      This aspect of information classification identifies information that is required for the continuation of normal 
operations or for compliance with the law.  The three levels of importance are: CRITICAL, ESSENTIAL, and NON-ESSENTIAL.
     

CRITICAL
·        Information must be classified as CRITICAL when its retention is required by law or the information resources, 
(i.) if unavailable, would completely or materially interrupt business operations; (ii.) may be needed within 24 hours, 
(iii.) and cannot otherwise be replaced in that short time frame. 

·        Information classified as CRITICAL will be backed-up daily and stored in a suitable off-site location.

ESSENTIAL
·        Information must be classified as ESSENTIAL if its unavailability would completely or materially interrupt 
business operations and such information resources are not needed for at least 24 hours but can be reconstructed in 
time to support the business function.

·        Information classified ESSENTIAL will be backed up and stored in a secure location on a periodic basis, but 
always in time so as to be capable of being available to support the business function.

NON-ESSENTIAL
·        Information that is neither CRITICAL or ESSENTIAL 

·        Non-Essential information resources need not be back up or stored and if destroyed, need not be reconstructed.

Level of Sensitivity
      This aspect of information classification refers to the sensitivity of the information.  The four levels of 
sensitivity are: RESTRICTED, INTERNAL USE ONLY, and PUBLIC (Unclassified).
     

RESTRICTED
·        Information must be classified as RESTRICTED if its misuse or disclosure could expose the Company to 
significant financial loss, loss of competitive advantage, or embarrassment.

·        RESTRICTED information must be closely controlled due to its timeliness or potential for fraud or misuse. 
RESTRICTED information may be seen and possessed only by a specific list of individuals who must take action based upon 
the information.

Examples:  Marketing plans, product formulas, insider information, pricing, financial plans, and trade agreements.

CONFIDENTIAL
·        Information must be classified as CONFIDENTIAL if its misuse or disclosure would expose the Company to 
financial loss or embarrassment, or violate an individual's right to privacy.

·        Access to CONFIDENTIAL information must be restricted to only those employees who have a specific need to know 
the information in order to perform their jobs.  Control procedures must be designed and implemented to ensure that 
access is only available on a need to know basis.

Examples:  Human Resource files, payroll information and files, and organization charts.

INTERNAL USE ONLY
·        Information is designated to be INTERNAL USE ONLY if it could be disclosed to any employee without exposing 
the Company to financial loss or embarrassment, and without violating an individual's right to privacy.

·        INTERNAL USE ONLY information has limited control requirements.

Example:  Project information or office telephone directories

PUBLIC (Unclassified)
·        Information is designated to be PUBLIC only if it could be disclosed to any individual, including individuals 
not employed by the Company, without exposing the Company to financial loss or embarrassment and without violating any 
individual's right to privacy.

·        PUBLIC information has very limited control requirements.  

Examples of PUBLIC information are press releases and annual reports.

 

 

----- Original Message ----- 
From: "Slade Griffin" <slade () UTK EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Monday, July 12, 2004 7:54 AM
Subject: [SECURITY] Data classification


> All,
>         Does anyone on this list deal with data classification?  If so I
> would like to discuss what levels or classifications are used in the edu
> community.  Thanks in advance.
>
> Slade Griffin
> ITSG
> University of Tennessee
> http://oit.utk.edu/infosec
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.