Educause Security Discussion mailing list archives

Re: Security of Research Data

From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Tue, 12 Sep 2006 10:58:00 -0400

Here is what we have so far on that matter, Paul, and note that the
minimum security standards will exist as a url (at the bottom on the
page) not hard copy in order to accommodate changes in technology
that occur inevitably more quickly that the slow steps of
institutional policy.

http://www.cit.cornell.edu/oit/policy/drafts/InstData.html

Best, Tracy


On Sep 12, 2006, at 10:16 AM, Howell, Paul wrote:

So labeling by itself doesn't add a lot of value.  Can some of the
instutions that have implemented  operational activities including
security guidelines outline the approach used and how it works?

Paul Howell, CISSP
Chief Information Technology Security Officer
The University of Michigan
Contact information is at: http://tinyurl.com/477bc

-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU]
Sent: Monday, September 11, 2006 1:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

We use "public", "regulated" and anything else is "confidential".
It's
not perfect, but it seems to be working so far, even tho
regulated data
is automatically also confidential. We think it is important for
individuals who generate or manage or have access to regulated
data to
know it - and also that they know what they are expected to do to
comply.

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer
Brown University Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu
Office: 401-863-7266

-----Original Message-----
From: Delaney, Cherry L. [mailto:cdelaney () PURDUE EDU]
Sent: Wednesday, September 06, 2006 8:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

We use Public, Sensitive and Restricted as our categories and they
are
well defined.

Cherry
-----Original Message-----
From: Howell, Paul [mailto:grue () UMICH EDU]
Sent: Tuesday, September 05, 2006 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

Does your campus community intuitively understand the labels
"Confidential, Sensitive and Public", and what research (or
other) data
fit into each category?

We've been using similar labels for a few years and still encounter
difficulties communicating the security around terms such as
"Confidential" & "Sensitive".  A common question is which one
is higher?
We reverse the order here, "Sensitive, then Private/Confidential,
then
Public", for example.

I wish that there were generally recognized labels that we
could all use
and that were intuitive to the community.

< paul

-----Original Message-----
From: Steve Brukbacher [mailto:sab2 () UWM EDU]
Sent: Friday, September 01, 2006 6:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

We're encouraging people to think in terms of data classification,
regardless of whether it is research data or HR data or any other
source.  We have a high-level information security policy pending
approval. Underneath that will be a data classification

policy, system

config guidelines, etc.

In our proposed data classification guidelines, we state

that research

data should be considered sensitive data if it does not

fall in to the

higher category of confidential (based on a 3-tiered classification
scheme, (Confidential, Sensitive and Public).

We've also implemented a file share program, Xythos to allow
researchers
   to share information in a manner that is safer than

sending thing

in email attachments or opening up an FTP port on a departmental
machine or email an unencrypted CD through the mail.  It

allows users

granular control over what UWM users can access what

folders/files and

related permissions.  It also allows for the creation of tickets or
web links to documents.  While this gives whoever knows the link
access to the file, it can also be password protected.  As

you might

imagine, good user training will be key here.

We're working on developing requirements for laptop encryption apps
(preferably whole hard drive) as well and hope to have something
available to our users in the near future. We've seen an

increase in

the number of research programs going mobile, so we are

responding to

that increased risk.


--
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Crawford, Tim M. wrote:

I'm curious to know what strategies others use to address

research data.

Is this something that you're addressing today? If so, how do you
identify and protect accordingly?

Regards,

Tim

______________________________________
/Tim M. Crawford/
/Associate Director, IT Operations/
/Stanford Graduate School of Business/ /650.724.2447/
/tcrawford () gsb stanford edu/

<blocked::mailto:tcrawford () gsb stanford edu>

Current thread:

Security of Research Data Crawford, Tim M. (Aug 31)
- <Possible follow-ups>
- Re: Security of Research Data Jim Dillon (Sep 01)
- Re: Security of Research Data Steve Brukbacher (Sep 01)
- Re: Security of Research Data Howell, Paul (Sep 05)
- Re: Security of Research Data Brad Judy (Sep 05)
- Re: Security of Research Data William Custer (Sep 05)
- Re: Security of Research Data Jim Dillon (Sep 05)
- Re: Security of Research Data Delaney, Cherry L. (Sep 06)
- Re: Security of Research Data Sadler, Connie (Sep 11)
- Re: Security of Research Data Howell, Paul (Sep 12)
- Re: Security of Research Data Tracy Mitrano (Sep 12)
- Re: Security of Research Data Crawford, Tim M. (Sep 12)
- Re: Security of Research Data Howell, Paul (Sep 13)
- Re: Security of Research Data Tracy Mitrano (Sep 13)
- Re: Security of Research Data Tracy Mitrano (Sep 13)
- Re: Security of Research Data Crawford, Tim M. (Sep 13)
- Re: Security of Research Data Joseph Clark (Sep 14)
- Re: Security of Research Data Basgen, Brian (Sep 15)
- Re: Security of Research Data Tom Siu (Sep 18)