Educause Security Discussion mailing list archives
Re: Data classification
From: Melissa Guenther <mguenther () COX NET>
Date: Mon, 12 Jul 2004 09:00:02 -0700
Just one more example - this one uses and additional concept, i.e., Level of Importance - to support Business Continuity. Level of Importance This aspect of information classification identifies information that is required for the continuation of normal operations or for compliance with the law. The three levels of importance are: CRITICAL, ESSENTIAL, and NON-ESSENTIAL. CRITICAL · Information must be classified as CRITICAL when its retention is required by law or the information resources, (i.) if unavailable, would completely or materially interrupt business operations; (ii.) may be needed within 24 hours, (iii.) and cannot otherwise be replaced in that short time frame. · Information classified as CRITICAL will be backed-up daily and stored in a suitable off-site location. ESSENTIAL · Information must be classified as ESSENTIAL if its unavailability would completely or materially interrupt business operations and such information resources are not needed for at least 24 hours but can be reconstructed in time to support the business function. · Information classified ESSENTIAL will be backed up and stored in a secure location on a periodic basis, but always in time so as to be capable of being available to support the business function. NON-ESSENTIAL · Information that is neither CRITICAL or ESSENTIAL · Non-Essential information resources need not be back up or stored and if destroyed, need not be reconstructed. Level of Sensitivity This aspect of information classification refers to the sensitivity of the information. The four levels of sensitivity are: RESTRICTED, INTERNAL USE ONLY, and PUBLIC (Unclassified). RESTRICTED · Information must be classified as RESTRICTED if its misuse or disclosure could expose the Company to significant financial loss, loss of competitive advantage, or embarrassment. · RESTRICTED information must be closely controlled due to its timeliness or potential for fraud or misuse. RESTRICTED information may be seen and possessed only by a specific list of individuals who must take action based upon the information. Examples: Marketing plans, product formulas, insider information, pricing, financial plans, and trade agreements. CONFIDENTIAL · Information must be classified as CONFIDENTIAL if its misuse or disclosure would expose the Company to financial loss or embarrassment, or violate an individual's right to privacy. · Access to CONFIDENTIAL information must be restricted to only those employees who have a specific need to know the information in order to perform their jobs. Control procedures must be designed and implemented to ensure that access is only available on a need to know basis. Examples: Human Resource files, payroll information and files, and organization charts. INTERNAL USE ONLY · Information is designated to be INTERNAL USE ONLY if it could be disclosed to any employee without exposing the Company to financial loss or embarrassment, and without violating an individual's right to privacy. · INTERNAL USE ONLY information has limited control requirements. Example: Project information or office telephone directories PUBLIC (Unclassified) · Information is designated to be PUBLIC only if it could be disclosed to any individual, including individuals not employed by the Company, without exposing the Company to financial loss or embarrassment and without violating any individual's right to privacy. · PUBLIC information has very limited control requirements. Examples of PUBLIC information are press releases and annual reports. ----- Original Message ----- From: "Slade Griffin" <slade () UTK EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Monday, July 12, 2004 7:54 AM Subject: [SECURITY] Data classification
All, Does anyone on this list deal with data classification? If so I would like to discuss what levels or classifications are used in the edu community. Thanks in advance. Slade Griffin ITSG University of Tennessee http://oit.utk.edu/infosec ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Data classification Slade Griffin (Jul 12)
- <Possible follow-ups>
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Hedrick, Gregory W (Jul 12)
- Re: Data classification Bruhn, Mark S. (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Gary Flynn (Jul 12)
- Re: Data classification Brian Reilly (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Bruhn, Mark S. (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)