Re: Data Classification: Legal criteria

[David Kovarik <david-kovarik () NORTHWESTERN EDU>]

Brian - This is certainly less than scientific but I'll impart what I
know...
The "public" and "legally/contractually restricted" are probably the easiest
to determine.
Being a private institution, we've more leeway in determining data that is
"Internal".
For example, we'd consider these Internal...
- network diagrams, configurations and settings, steps or process executed
in incident response, results of audits or assessments, reports on security
incidents, salary information, departmental budgets, pending job offers,
etc.

At this juncture, I'd suggest that the Internal classification is based on a
combination of "best practice", experience, recommendation of data owners
(the "business need"), and common sense.  As mentioned, less than
scientific, but appears to work.
Hope this helps - Dave

Dave Kovarik, ISS/C
Northwestern University
Office: (847) 467-5930

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, March 18, 2008 2:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Data Classification: Legal criteria

David,

 Right, this seems pretty standard. My question is: on what objective basis
do you define information as internal? Thinking in terms of a public
institution, how do you justify your right to control information when the
law doesn't require it?

 For example, saying it is a business need, or what would happen should you
do anything otherwise, doesn't satisfy the question: what criteria is being
used? Now, perhaps "best practice" is the best criteria, since this is the
best expression of a business need. I'm just wondering if people have used
other criteria as a means to justify this distinction?

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Kovarik
> Sent: Tuesday, March 18, 2008 11:50 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Data Classification: Legal criteria
>
> Here's what we've defined...
>
> http://www.it.northwestern.edu/policies/dataaccess.html
>
>
> Dave Kovarik, ISS/C
> Northwestern University
> Office: (847) 467-5930
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
> Sent: Tuesday, March 18, 2008 1:04 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Data Classification: Legal criteria
>
>  We are in the process of developing a data classification policy with
> three
> types: public, internal, and confidential.
>
>  The criteria or logic behind classifying confidential data is fairly
> easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
> data types. Yet, I am not clear on the best external criteria to use
> for classification of internal data. Peer institutions, "best
> practices" is one thought, but I'm wondering what other objective
> criteria people have employed for the justification of making certain
> kinds of data internal as opposed to public. Let me know, thanks.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College