Educause Security Discussion mailing list archives
Re: Data Classification: Legal criteria
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Tue, 18 Mar 2008 16:05:59 -0700
Brian, I was just at a presentation put on by Infragard that focused, in part, on this subject. I have also been involved dealing with similar situations in the private sector. What I recommend is that you extract applicable requirements pertaining to data first, based on applicable regulations. Essentially, develop a matrix that outlines what drives the different types of security classifications. Make sure and include State requirements, where those are more stringent than the Federal ones. Once you have your matrix in place and it gets cleared through your legal department, then define what will drive the various classifications. For the most part, in the private, non-government sector, you end up with privacy requirements driving the strictest classifications. Having said that, in this day and age, don't forget to check on data related to sensitive, i.e. highly dangerous, chemicals, lab specimens, etc., which your institution may store or generate through labs on campus. Information on storage locations and inventories may need to be secured as well. Anyway, once you have your data broken down into its classification, walk your way back through the data you collect and keep, the databases where they are stored, etc., in order to validate your classification. Essentially, you are almost doing an audit in reverse, starting with a large quantity of data/sources/storage and then evaluating it in accordance with your new classification. If you do it in a structured, well documented manner, you can even produce an audit document to guide future audits of your data and systems, which can save you a great deal of money later on! Finally, keep your matrix as a living document that you update as conditions change. That can really help you keep your policies up to date and your data control compliant. Hope it helps, Ozzie Paez SSE/CISSP SAIC 303-332-5363 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Basgen, Brian Sent: Tuesday, March 18, 2008 11:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data Classification: Legal criteria We are in the process of developing a data classification policy with three types: public, internal, and confidential. The criteria or logic behind classifying confidential data is fairly easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain data types. Yet, I am not clear on the best external criteria to use for classification of internal data. Peer institutions, "best practices" is one thought, but I'm wondering what other objective criteria people have employed for the justification of making certain kinds of data internal as opposed to public. Let me know, thanks. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Re: Data Classification: Legal criteria, (continued)
- Re: Data Classification: Legal criteria Chris Gauthier (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Doug Markiewicz (Mar 18)
- Re: Data Classification: Legal criteria Bill Badertscher (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Sherry, Cathy (Mar 18)
- Re: Data Classification: Legal criteria Brad Judy (Mar 18)
- Re: Data Classification: Legal criteria Gary Dobbins (Mar 18)
- Re: Data Classification: Legal criteria Ozzie Paez (Mar 18)
- Re: Data Classification: Legal criteria Valdis Kletnieks (Mar 18)
- Re: Data Classification: Legal criteria Ced Bennett (Mar 19)