Re: Data classification

[Melissa Guenther <mguenther () COX NET>]

MessageSure
The first was co-designed by U of A and myself.  The second two were designed as templates for work I did with various 
clients.  If I cited sources, it would have to be the projects I was on, since there is really little out on Data 
Classification.  By the way, if anyone on this list is interested in authoring a book on the subject, an associate at a 
publishing firm would love to talk with you.

Melissa
  ----- Original Message ----- 
  From: Bruhn, Mark S. 
  To: SECURITY () LISTSERV EDUCAUSE EDU 
  Sent: Monday, July 12, 2004 9:06 AM
  Subject: Re: [SECURITY] Data classification


  Melissa, it would be helpful if you cited the sources for the materials that you post.
  Thanks,
  M.

  -- 
  Mark S. Bruhn, CISSP, CISM 
  Chief IT Security and Policy Officer 
  Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu) 

  Office of the Vice President for Information Technology and CIO 
  Indiana University 
  812-855-0326 

  Incidents involving IU IT resources: it-incident () iu edu 
  Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 



  -----Original Message-----
  From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Melissa 
Guenther
  Sent: Monday, July 12, 2004 11:00 AM
  To: SECURITY () LISTSERV EDUCAUSE EDU
  Subject: Re: [SECURITY] Data classification


  Just one more example - this one uses and additional concept, i.e., Level of Importance - to support Business 
Continuity.

  Level of Importance
        This aspect of information classification identifies information that is required for the continuation of 
normal operations or for compliance with the law.  The three levels of importance are: CRITICAL, ESSENTIAL, and 
NON-ESSENTIAL.
       

  CRITICAL
  ·        Information must be classified as CRITICAL when its retention is required by law or the information 
resources, (i.) if unavailable, would completely or materially interrupt business operations; (ii.) may be needed 
within 24 hours, (iii.) and cannot otherwise be replaced in that short time frame. 

  ·        Information classified as CRITICAL will be backed-up daily and stored in a suitable off-site location.

  ESSENTIAL
  ·        Information must be classified as ESSENTIAL if its unavailability would completely or materially interrupt 
business operations and such information resources are not needed for at least 24 hours but can be reconstructed in 
time to support the business function.

  ·        Information classified ESSENTIAL will be backed up and stored in a secure location on a periodic basis, but 
always in time so as to be capable of being available to support the business function.

  NON-ESSENTIAL
  ·        Information that is neither CRITICAL or ESSENTIAL 

  ·        Non-Essential information resources need not be back up or stored and if destroyed, need not be 
reconstructed.

  Level of Sensitivity
        This aspect of information classification refers to the sensitivity of the information.  The four levels of 
sensitivity are: RESTRICTED, INTERNAL USE ONLY, and PUBLIC (Unclassified).
       

  RESTRICTED
  ·        Information must be classified as RESTRICTED if its misuse or disclosure could expose the Company to 
significant financial loss, loss of competitive advantage, or embarrassment.

  ·        RESTRICTED information must be closely controlled due to its timeliness or potential for fraud or misuse. 
RESTRICTED information may be seen and possessed only by a specific list of individuals who must take action based upon 
the information.

  Examples:  Marketing plans, product formulas, insider information, pricing, financial plans, and trade agreements.

  CONFIDENTIAL
  ·        Information must be classified as CONFIDENTIAL if its misuse or disclosure would expose the Company to 
financial loss or embarrassment, or violate an individual's right to privacy.

  ·        Access to CONFIDENTIAL information must be restricted to only those employees who have a specific need to 
know the information in order to perform their jobs.  Control procedures must be designed and implemented to ensure 
that access is only available on a need to know basis.

  Examples:  Human Resource files, payroll information and files, and organization charts.

  INTERNAL USE ONLY
  ·        Information is designated to be INTERNAL USE ONLY if it could be disclosed to any employee without exposing 
the Company to financial loss or embarrassment, and without violating an individual's right to privacy.

  ·        INTERNAL USE ONLY information has limited control requirements.

  Example:  Project information or office telephone directories

  PUBLIC (Unclassified)
  ·        Information is designated to be PUBLIC only if it could be disclosed to any individual, including 
individuals not employed by the Company, without exposing the Company to financial loss or embarrassment and without 
violating any individual's right to privacy.

  ·        PUBLIC information has very limited control requirements.  

  Examples of PUBLIC information are press releases and annual reports.

   

   

  ----- Original Message ----- 
  From: "Slade Griffin" <slade () UTK EDU>
  To: <SECURITY () LISTSERV EDUCAUSE EDU>
  Sent: Monday, July 12, 2004 7:54 AM
  Subject: [SECURITY] Data classification


  > All,
  >         Does anyone on this list deal with data classification?  If so I
  > would like to discuss what levels or classifications are used in the edu
  > community.  Thanks in advance.
  > 
  > Slade Griffin
  > ITSG
  > University of Tennessee
  > http://oit.utk.edu/infosec
  > 
  > **********
  > Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group 
discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for 
this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.