Re: Data Classification: Legal criteria

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Thanks Bill, this should work quite well. 
 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




 


________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bill Badertscher
        Sent: Tuesday, March 18, 2008 12:39 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Data Classification: Legal criteria
        
        
        Hello,
        
        FIPS 199 is an excellent resource and is associated with six
other information security related documents. 
        
        The note below is excerpted from NIST 800-60:
        
        
        "Note
        NIST Special Publication (SP) 800-60 [Guide for Mapping Types of
Information and Information Systems to Security Categories] may be used
by organizations in conjunction with an emerging family of
security-related publications including:
        
        

        *       FIPS Publication 199, Standards for Security
Categorization of Federal Information and Information Systems, February
2004; 

        *       NIST SP 800-37, Guide for the Security Certification and
Accreditation of Federal Information Systems (Final public draft), April
2004; 

        *       NIST SP 800-53, Recommended Security Controls for
Federal Information Systems, (Initial public draft), October 2003. 

        *       NIST SP 800-53A, Techniques and Procedures for Verifying
the Effectiveness of Security Controls in Information Systems (Initial
public draft), Fall 2004; 

        *       NIST SP 800-59, Guideline for Identifying an Information
System as a National Security System, August 2003; and 

        *       FIPS Publication 200, Minimum Security Controls for
Federal Information Systems, (Projected for publication, Fall 2005)1 


        This series of seven documents, when completed, is intended to
provide a structured, yet flexible framework for selecting, specifying,
employing, and evaluating the security controls in Federal information
systems-and thus, make a significant contribution toward satisfying the
requirements of the Federal Information Security Management Act (FISMA)
of 2002. We regret that all seven publications could not be released
simultaneously. However, due to the current international climate and
high priority of information security for the Federal government, we
have decided to release the individual publications as they are
completed. While the publications are mutually reinforcing and have some
dependencies, in most cases, they can be effectively used independently
of one another.
        
        This is Volume I of two volumes. It contains the basic
guidelines for mapping types of information and information systems to
security categories. The appendixes, including security categorization
recommendations for mission-based information types and rationale for
security categorization recommendations, are published as a separate
volume.
        
        The SP 800-60 information types and security impact levels are
based on the OMB Federal Enterprise Architecture Program Management
Office's Business Reference Model 2.0, inputs from participants in NIST
SP 800-60 workshops, and FIPS 199. Rationale for the example impact
level recommendations provided in the appendixes have been derived from
multiple sources, and as such, will require several iterations of
review, comment, and subsequent modification to achieve consistency in
terminology, structure, and content. The prerequisite role played by
security categorization in selection of SP 800-53 security controls, and
the importance of security controls in the protection of Federal
information systems, demands early exposure to the community who will be
employing those controls and thus, motivated the release of this
document at the earliest opportunity.
        1 FIPS Publication 200, Minimum Security Controls for Federal
Information Systems, when published in 2005, will replace NIST Special
Publication 800-53 and become a mandatory standard for Federal agencies
in accordance with the Federal Information Security Management Act
(FISMA) of 2002."
        
        
        
        
        Doug Markiewicz wrote: 

                Basgen, Brian wrote: 
                

                         We are in the process of developing a data
classification policy with 
                        three types: public, internal, and confidential.

                        
                         The criteria or logic behind classifying
confidential data is fairly 
                        easy: FERPA, GLBA, PCI, etc, requires the
confidentiality of certain 
                        data types. Yet, I am not clear on the best
external criteria to use for 
                        classification of internal data. Peer
institutions, "best practices" is 
                        one thought, but I'm wondering what other
objective criteria people have 
                        employed for the justification of making certain
kinds of data internal 
                        as opposed to public. Let me know, thanks.  


                We are in the process of revamping our classification
scheme as well.  Our approach (pending approval of course) will be to
classify regulated data and leave everything else up to the data owner
to classify.  FIPS 199 with some guidelines on mapping it to your
classification scheme can be used to help data owners make the decision
for themselves.  Some Universities have adopted the practice of
assigning a default classification (e.g. Internal Use Only) to
non-regulated data that has not been formally classified by its
respective data owner.  I'm pushing for a similar practice here. 
                


        -- 
        
        William D. Badertscher BSIS, CPP, PMP
        (formerly Couch)
        Georgetown University Information Services
        Senior Engineer for Safety and Facility Control Systems
        3300 Whitehaven Street NW, Suite 2000
        Washington, DC 20007
        202-687-3541 (Office)
        202-687-4790 (Direct)
        202-731-2758 (Mobile)
        202-687-1505 (Fax)
        wdc8 () georgetown edu
        http://georgetown.edu