Re: Security of Research Data

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

We have not approved the Institutional categories yet, although our
Boulder campus has a set of terms.  One piece of advice I was given by
our legal folks (by example/requirement!) in my prior corporate life was
to create classifications like COMPANY INTERNAL DATA and COMPANY
STRICTLY PRIVATE data and then define the terms.  The more common terms
mean so many different things to so many people, that by defining a
unique term and putting it in the glossary, you reduce confusion.  We
then had very clear instructions on how to handle each (e.g. when to
lock up, when it was OK to have stuff on your desk, what could leave the
facility, what could not.)  

In this way you get the opportunity to officially define the scope and
breadth of the terms in a specific fashion and pre-empt the excuses of
misunderstanding the generic term.

Perhaps this is the right answer for your institution.

Jim
*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 

-----Original Message-----
From: Howell, Paul [mailto:grue () UMICH EDU] 
Sent: Tuesday, September 05, 2006 7:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

 
Does your campus community intuitively understand the labels
"Confidential, Sensitive and Public", and what research (or other) data
fit into each category?

We've been using similar labels for a few years and still encounter
difficulties communicating the security around terms such as
"Confidential" & "Sensitive".  A common question is which one is higher?
We reverse the order here, "Sensitive, then Private/Confidential, then
Public", for example.

I wish that there were generally recognized labels that we could all use
and that were intuitive to the community.


< paul


> -----Original Message-----
> From: Steve Brukbacher [mailto:sab2 () UWM EDU]
> Sent: Friday, September 01, 2006 6:31 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security of Research Data
>
> We're encouraging people to think in terms of data classification, 
> regardless of whether it is research data or HR data or any other 
> source.  We have a high-level information security policy pending 
> approval. Underneath that will be a data classification policy, system

> config guidelines, etc.
>
> In our proposed data classification guidelines, we state that research

> data should be considered sensitive data if it does not fall in to the

> higher category of confidential (based on a 3-tiered classification 
> scheme, (Confidential, Sensitive and Public).
>
> We've also implemented a file share program, Xythos to allow 
> researchers
>    to share information in a manner that is safer than sending thing 
> in email attachments or opening up an FTP port on a departmental 
> machine or email an unencrypted CD through the mail.  It allows users 
> granular control over what UWM users can access what folders/files and

> related permissions.  It also allows for the creation of tickets or 
> web links to documents.  While this gives whoever knows the link 
> access to the file, it can also be password protected.  As you might 
> imagine, good user training will be key here.
>
> We're working on developing requirements for laptop encryption apps 
> (preferably whole hard drive) as well and hope to have something 
> available to our users in the near future. We've seen an increase in 
> the number of research programs going mobile, so we are responding to 
> that increased risk.
>
>
> --
> Steve Brukbacher, CISSP
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> Crawford, Tim M. wrote:
> > I'm curious to know what strategies others use to address
> research data. 
> > Is this something that you're addressing today? If so, how do you 
> > identify and protect accordingly?
> >  
> > Regards,
> >  
> > Tim
> >  
> > ______________________________________
> > /Tim M. Crawford/
> > /Associate Director, IT Operations/
> > /Stanford Graduate School of Business/ /650.724.2447/ 
> > /tcrawford () gsb stanford edu/
> <blocked::mailto:tcrawford () gsb stanford edu>
> >