Re: Data Classification: Legal criteria

[Bill Badertscher <wdc8 () GEORGETOWN EDU>]

Hello,

FIPS 199 is an excellent resource and is associated with six other
information security related documents.

The note below is excerpted from NIST 800-60:


"Note
NIST Special Publication (SP) 800-60 [Guide for Mapping Types of
Information and Information Systems to Security Categories] may be used
by organizations in conjunction with an emerging family of
security-related publications including:

   * FIPS Publication 199, Standards for Security Categorization of
     Federal Information and Information Systems, February 2004;

   * NIST SP 800-37, Guide for the Security Certification and
     Accreditation of Federal Information Systems (Final public draft),
     April 2004;

   * NIST SP 800-53, Recommended Security Controls for Federal
     Information Systems, (Initial public draft), October 2003.

   * NIST SP 800-53A, Techniques and Procedures for Verifying the
     Effectiveness of Security Controls in Information Systems (Initial
     public draft), Fall 2004;

   * NIST SP 800-59, Guideline for Identifying an Information System as
     a National Security System, August 2003; and

   * FIPS Publication 200, Minimum Security Controls for Federal
     Information Systems, (Projected for publication, Fall 2005)1


This series of seven documents, when completed, is intended to provide a
structured, yet flexible framework for selecting, specifying, employing,
and evaluating the security controls in Federal information
systems---and thus, make a significant contribution toward satisfying
the requirements of the Federal Information Security Management Act
(FISMA) of 2002. We regret that all seven publications could not be
released simultaneously. However, due to the current international
climate and high priority of information security for the Federal
government, we have decided to release the individual publications as
they are completed. While the publications are mutually reinforcing and
have some dependencies, in most cases, they can be effectively used
independently of one another.

This is Volume I of two volumes. It contains the basic guidelines for
mapping types of information and information systems to security
categories. The appendixes, including security categorization
recommendations for mission-based information types and rationale for
security categorization recommendations, are published as a separate volume.

The SP 800-60 information types and security impact levels are based on
the OMB Federal Enterprise Architecture Program Management Office's
Business Reference Model 2.0, inputs from participants in NIST SP 800-60
workshops, and FIPS 199. Rationale for the example impact level
recommendations provided in the appendixes have been derived from
multiple sources, and as such, will require several iterations of
review, comment, and subsequent modification to achieve consistency in
terminology, structure, and content. The prerequisite role played by
security categorization in selection of SP 800-53 security controls, and
the importance of security controls in the protection of Federal
information systems, demands early exposure to the community who will be
employing those controls and thus, motivated the release of this
document at the earliest opportunity.
1 FIPS Publication 200, Minimum Security Controls for Federal
Information Systems, when published in 2005, will replace NIST Special
Publication 800-53 and become a mandatory standard for Federal agencies
in accordance with the Federal Information Security Management Act
(FISMA) of 2002."




Doug Markiewicz wrote:
> Basgen, Brian wrote:
> >  We are in the process of developing a data classification policy with
> > three types: public, internal, and confidential.
> >
> >  The criteria or logic behind classifying confidential data is fairly
> > easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
> > data types. Yet, I am not clear on the best external criteria to use for
> > classification of internal data. Peer institutions, "best practices" is
> > one thought, but I'm wondering what other objective criteria people have
> > employed for the justification of making certain kinds of data internal
> > as opposed to public. Let me know, thanks.
>
> We are in the process of revamping our classification scheme as well.
> Our approach (pending approval of course) will be to classify
> regulated data and leave everything else up to the data owner to
> classify.  FIPS 199 with some guidelines on mapping it to your
> classification scheme can be used to help data owners make the
> decision for themselves.  Some Universities have adopted the practice
> of assigning a default classification (e.g. Internal Use Only) to
> non-regulated data that has not been formally classified by its
> respective data owner.  I'm pushing for a similar practice here.

--

William D. Badertscher BSIS, CPP, PMP
(formerly Couch)
Georgetown University Information Services
Senior Engineer for Safety and Facility Control Systems
3300 Whitehaven Street NW, Suite 2000
Washington, DC 20007
202-687-3541 (Office)
202-687-4790 (Direct)
202-731-2758 (Mobile)
202-687-1505 (Fax)
wdc8 () georgetown edu
http://georgetown.edu