Re: Security of Research Data

["Crawford, Tim M." <tcrawford () GSB STANFORD EDU>]

First, thanks to everyone that responded to my first inquiry about the
security of research data.

I agree with Paul that the mere labeling is only one part of the
equation. I'm curious as well on what operational processes may have
been instituted to identify data that is coming into the institution and
how it is protected.

Tim 

-----Original Message-----
From: Howell, Paul [mailto:grue () UMICH EDU] 
Sent: Tuesday, September 12, 2006 7:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

So labeling by itself doesn't add a lot of value.  Can some of the
instutions that have implemented  operational activities including
security guidelines outline the approach used and how it works?

Paul Howell, CISSP
Chief Information Technology Security Officer The University of Michigan
Contact information is at: http://tinyurl.com/477bc
  
 

> -----Original Message-----
> From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU]
> Sent: Monday, September 11, 2006 1:42 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security of Research Data
>
>  
> We use "public", "regulated" and anything else is "confidential". It's

> not perfect, but it seems to be working so far, even tho regulated 
> data is automatically also confidential. We think it is important for 
> individuals who generate or manage or have access to regulated data to

> know it - and also that they know what they are expected to do to 
> comply.
>
> Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown

> University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu
> Office: 401-863-7266
>
>
> -----Original Message-----
> From: Delaney, Cherry L. [mailto:cdelaney () PURDUE EDU] 
> Sent: Wednesday, September 06, 2006 8:49 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security of Research Data
>
> We use Public, Sensitive and Restricted as our categories and they are
> well defined. 
>
>
> Cherry
> -----Original Message-----
> From: Howell, Paul [mailto:grue () UMICH EDU]
> Sent: Tuesday, September 05, 2006 9:14 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security of Research Data
>
>  
> Does your campus community intuitively understand the labels
> "Confidential, Sensitive and Public", and what research (or 
> other) data
> fit into each category?
>
> We've been using similar labels for a few years and still encounter
> difficulties communicating the security around terms such as
> "Confidential" & "Sensitive".  A common question is which one 
> is higher?
> We reverse the order here, "Sensitive, then Private/Confidential, then
> Public", for example.
>
> I wish that there were generally recognized labels that we 
> could all use
> and that were intuitive to the community.
>
>
> < paul
>
>
> > -----Original Message-----
> > From: Steve Brukbacher [mailto:sab2 () UWM EDU]
> > Sent: Friday, September 01, 2006 6:31 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Security of Research Data
> >
> > We're encouraging people to think in terms of data classification, 
> > regardless of whether it is research data or HR data or any other 
> > source.  We have a high-level information security policy pending 
> > approval. Underneath that will be a data classification 
> policy, system
>
> > config guidelines, etc.
> >
> > In our proposed data classification guidelines, we state 
> that research
>
> > data should be considered sensitive data if it does not 
> fall in to the
>
> > higher category of confidential (based on a 3-tiered classification 
> > scheme, (Confidential, Sensitive and Public).
> >
> > We've also implemented a file share program, Xythos to allow 
> > researchers
> >    to share information in a manner that is safer than 
> sending thing 
> > in email attachments or opening up an FTP port on a departmental 
> > machine or email an unencrypted CD through the mail.  It 
> allows users 
> > granular control over what UWM users can access what 
> folders/files and
>
> > related permissions.  It also allows for the creation of tickets or 
> > web links to documents.  While this gives whoever knows the link 
> > access to the file, it can also be password protected.  As 
> you might 
> > imagine, good user training will be key here.
> >
> > We're working on developing requirements for laptop encryption apps 
> > (preferably whole hard drive) as well and hope to have something 
> > available to our users in the near future. We've seen an 
> increase in 
> > the number of research programs going mobile, so we are 
> responding to 
> > that increased risk.
> >
> >
> > --
> > Steve Brukbacher, CISSP
> > University of Wisconsin Milwaukee
> > Information Security Coordinator
> > UWM Computer Security Web Site
> > www.security.uwm.edu
> > Phone: 414.229.2224
> >
> >
> >
> > Crawford, Tim M. wrote:
> > > I'm curious to know what strategies others use to address
> > research data. 
> > > Is this something that you're addressing today? If so, how do you 
> > > identify and protect accordingly?
> > >  
> > > Regards,
> > >  
> > > Tim
> > >  
> > > ______________________________________
> > > /Tim M. Crawford/
> > > /Associate Director, IT Operations/
> > > /Stanford Graduate School of Business/ /650.724.2447/ 
> > > /tcrawford () gsb stanford edu/
> > <blocked::mailto:tcrawford () gsb stanford edu>
> > >