Re: Data Classification: Legal criteria

[Ozzie Paez <ozpaez () SPRYNET COM>]

Brian,
I was just at a presentation put on by Infragard that focused, in part, on
this subject.  I have also been involved dealing with similar situations in
the private sector.  What I recommend is that you extract applicable
requirements pertaining to data first, based on applicable regulations.
Essentially, develop a matrix that outlines what drives the different types
of security classifications.  Make sure and include State requirements,
where those are more stringent than the Federal ones.  Once you have your
matrix in place and it gets cleared through your legal department, then
define what will drive the various classifications.  For the most part, in
the private, non-government sector, you end up with privacy requirements
driving the strictest classifications.  Having said that, in this day and
age, don't forget to check on data related to sensitive, i.e. highly
dangerous, chemicals, lab specimens, etc., which your institution may store
or generate through labs on campus. Information on storage locations and
inventories may need to be secured as well.

Anyway, once you have your data broken down into its classification, walk
your way back through the data you collect and keep, the databases where
they are stored, etc., in order to validate your classification.
Essentially, you are almost doing an audit in reverse, starting with a large
quantity of data/sources/storage and then evaluating it in accordance with
your new classification.  If you do it in a structured, well documented
manner, you can even produce an audit document to guide future audits of
your data and systems, which can save you a great deal of money later on!

Finally, keep your matrix as a living document that you update as conditions
change.  That can really help you keep your policies up to date and your
data control compliant.

Hope it helps,

Ozzie Paez
SSE/CISSP
SAIC
303-332-5363

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Basgen, Brian
Sent: Tuesday, March 18, 2008 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Classification: Legal criteria


 We are in the process of developing a data classification policy with
three types: public, internal, and confidential.

 The criteria or logic behind classifying confidential data is fairly
easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
data types. Yet, I am not clear on the best external criteria to use for
classification of internal data. Peer institutions, "best practices" is
one thought, but I'm wondering what other objective criteria people have
employed for the justification of making certain kinds of data internal
as opposed to public. Let me know, thanks.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College