Re: Data classification

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

Melissa, it would be helpful if you cited the sources for the materials
that you post.
Thanks,
M.
 
-- 
Mark S. Bruhn, CISSP, CISM 

Chief IT Security and Policy Officer 
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu <http://cacr.iu.edu/> ) 

Office of the Vice President for Information Technology and CIO 
Indiana University 
812-855-0326 

Incidents involving IU IT resources: it-incident () iu edu 
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Melissa Guenther
Sent: Monday, July 12, 2004 11:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Data classification



Just one more example - this one uses and additional concept, i.e.,
Level of Importance - to support Business Continuity.


 


Level of Importance

This aspect of information classification identifies information that is
required for the continuation of normal operations or for compliance
with the law.  The three levels of importance are: CRITICAL, ESSENTIAL,
and NON-ESSENTIAL.


CRITICAL


*        Information must be classified as CRITICAL when its retention
is required by law or the information resources, (i.) if unavailable,
would completely or materially interrupt business operations; (ii.) may
be needed within 24 hours, (iii.) and cannot otherwise be replaced in
that short time frame. 

*        Information classified as CRITICAL will be backed-up daily and
stored in a suitable off-site location.


ESSENTIAL


*        Information must be classified as ESSENTIAL if its
unavailability would completely or materially interrupt business
operations and such information resources are not needed for at least 24
hours but can be reconstructed in time to support the business function.

*        Information classified ESSENTIAL will be backed up and stored
in a secure location on a periodic basis, but always in time so as to be
capable of being available to support the business function.


NON-ESSENTIAL


*        Information that is neither CRITICAL or ESSENTIAL 

*        Non-Essential information resources need not be back up or
stored and if destroyed, need not be reconstructed.


Level of Sensitivity

This aspect of information classification refers to the sensitivity of
the information.  The four levels of sensitivity are: RESTRICTED,
INTERNAL USE ONLY, and PUBLIC (Unclassified).


RESTRICTED


*        Information must be classified as RESTRICTED if its misuse or
disclosure could expose the Company to significant financial loss, loss
of competitive advantage, or embarrassment.

*        RESTRICTED information must be closely controlled due to its
timeliness or potential for fraud or misuse. RESTRICTED information may
be seen and possessed only by a specific list of individuals who must
take action based upon the information.

Examples:  Marketing plans, product formulas, insider information,
pricing, financial plans, and trade agreements.


CONFIDENTIAL


*        Information must be classified as CONFIDENTIAL if its misuse or
disclosure would expose the Company to financial loss or embarrassment,
or violate an individual's right to privacy.

*        Access to CONFIDENTIAL information must be restricted to only
those employees who have a specific need to know the information in
order to perform their jobs.  Control procedures must be designed and
implemented to ensure that access is only available on a need to know
basis.

Examples:  Human Resource files, payroll information and files, and
organization charts.


INTERNAL USE ONLY


*        Information is designated to be INTERNAL USE ONLY if it could
be disclosed to any employee without exposing the Company to financial
loss or embarrassment, and without violating an individual's right to
privacy.

*        INTERNAL USE ONLY information has limited control requirements.

Example:  Project information or office telephone directories


PUBLIC (Unclassified)


*        Information is designated to be PUBLIC only if it could be
disclosed to any individual, including individuals not employed by the
Company, without exposing the Company to financial loss or embarrassment
and without violating any individual's right to privacy.

*        PUBLIC information has very limited control requirements.  

Examples of PUBLIC information are press releases and annual reports.

 

 

----- Original Message ----- 
From: "Slade Griffin" <slade () UTK EDU <mailto:slade () UTK EDU> >
To: <SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Sent: Monday, July 12, 2004 7:54 AM
Subject: [SECURITY] Data classification


> All,
>         Does anyone on this list deal with data classification?  If so
I
> would like to discuss what levels or classifications are used in the
edu
> community.  Thanks in advance.
>
> Slade Griffin
> ITSG
> University of Tennessee
> http://oit.utk.edu/infosec <http://oit.utk.edu/infosec> 
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/ <http://www.educause.edu/cg/> . **********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/. 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.