Educause Security Discussion mailing list archives

Re: Data Classification

From: "Waller, Michael A. (HSC)" <Michael-Waller () OUHSC EDU>
Date: Fri, 28 Jul 2006 16:51:43 -0500

 

We've adopted a policy with four levels of classification and we call
them simply 'Category A' through 'Category D'. 'A' data is of the
highest importance and 'D' data is essentially public data that has no
security implications. Throughout our policy docs, we define sensitive
data as any data classified as 'A' or 'B' - that data is subject to
additional security requirements. Any data protected by law or
regulation (HIPAA, GLB, FERPA, etc.) falls into 'Category A'
automatically. After that, we let the data owners classify their own
data and assess its importance, with the caveat that they have to
protect the data to the level of the assigned classification level. It's
a relatively new policy, however, and we're in the very early stages of
implementation.

 

Data Classification Policy:
http://www.ouhsc.edu/it/security/documents/Data_Classification_Policy.pd
f 

Data Classification Standard:
http://www.ouhsc.edu/it/security/documents/Data_Classification_Standard.
pdf 

 

Mike Waller   CISSP

Information Technology, Information Security Services

The University of Oklahoma Health Sciences Center

 

From: Tom Siu [mailto:thomas.siu () CASE EDU] 
Sent: Friday, July 28, 2006 2:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Classification

 

Hello,

 

With some background in Department of Defense R&D, I have taken a
tangent AWAY from the use of classifications that are the same as US
Government classifications in the higher education domain, to avoid any
misunderstandings when research grant and funding processes may be
involved.   Therefore, I don't have the words "confidential, secret,
top-secret, tippy-top-secret"  etc. in my taxonomy.

 

I've got Tier1, Tier2, and Tier3.

 

Using a little guidance from NIST SP 800-60
(http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf)
, here is the matrix that helps define the categorization of data.

 

Tier                  Category                     Confidentiality
Integrity                      Availability

-----                  ------------
-------------------            -----------
---------------

  1                    Unrestricted                low
moderate         low

  2                    Univ Internal               moderate
moderate         moderate

  3                    Restricted                    high
moderate         moderate

 

The CIA impacts are institution specific, but the categories seem to be
germane to many .edu workspace.

 

Regards,

Tom

 

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||

   Tom Siu                             

   Chief Information Security Officer

   Case

   thomas.siu () case edu

   www.case.edu/its

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||

Current thread:

Data Classification Steve Brukbacher (Jul 26)
- <Possible follow-ups>
- Re: Data Classification James H Moore (Jul 26)
- Re: Data Classification Dick Jacobson (Jul 26)
- Re: Data Classification Christopher Misra (Jul 27)
- Re: Data Classification Krizi Trivisani (Jul 27)
- Re: Data Classification David C Smith (Jul 27)
- Data classification Theresa M Rowe (Jul 27)
- Data Classification Tom Siu (Jul 28)
- Re: Data Classification Waller, Michael A. (HSC) (Jul 28)
- Re: Data Classification Cam Beasley (Jul 28)
- Re: Data Classification Ced Bennett (Aug 02)
- Data classification Stewart, Ian (Sep 06)