Educause Security Discussion mailing list archives
Re: Data Classification: Legal criteria
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 18 Mar 2008 12:07:29 -0700
David, Right, this seems pretty standard. My question is: on what objective basis do you define information as internal? Thinking in terms of a public institution, how do you justify your right to control information when the law doesn't require it? For example, saying it is a business need, or what would happen should you do anything otherwise, doesn't satisfy the question: what criteria is being used? Now, perhaps "best practice" is the best criteria, since this is the best expression of a business need. I'm just wondering if people have used other criteria as a means to justify this distinction? ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Kovarik Sent: Tuesday, March 18, 2008 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Data Classification: Legal criteria Here's what we've defined... http://www.it.northwestern.edu/policies/dataaccess.html Dave Kovarik, ISS/C Northwestern University Office: (847) 467-5930 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Tuesday, March 18, 2008 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data Classification: Legal criteria We are in the process of developing a data classification policy with three types: public, internal, and confidential. The criteria or logic behind classifying confidential data is fairly easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain data types. Yet, I am not clear on the best external criteria to use for classification of internal data. Peer institutions, "best practices" is one thought, but I'm wondering what other objective criteria people have employed for the justification of making certain kinds of data internal as opposed to public. Let me know, thanks. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Data Classification: Legal criteria Basgen, Brian (Mar 18)
- <Possible follow-ups>
- Re: Data Classification: Legal criteria Chris Gauthier (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Doug Markiewicz (Mar 18)
- Re: Data Classification: Legal criteria Bill Badertscher (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Sherry, Cathy (Mar 18)
- Re: Data Classification: Legal criteria Brad Judy (Mar 18)
- Re: Data Classification: Legal criteria Gary Dobbins (Mar 18)
- Re: Data Classification: Legal criteria Ozzie Paez (Mar 18)
- Re: Data Classification: Legal criteria Valdis Kletnieks (Mar 18)
- Re: Data Classification: Legal criteria Ced Bennett (Mar 19)