Re: Data Classification: Legal criteria

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 18 Mar 2008 16:05:59 PDT, Ozzie Paez said:

> driving the strictest classifications.  Having said that, in this day and
> age, don't forget to check on data related to sensitive, i.e. highly
> dangerous, chemicals, lab specimens, etc., which your institution may store
> or generate through labs on campus. Information on storage locations and
> inventories may need to be secured as well.

On the flip side - keep in mind that in some cases, such info either has to be
or at least should be shared with some groups.  For instance, the local fire
department would likely want to know if they're about to walk into a hazmat
situation when responding to an alarm...

In general, make sure that your data classification is along *3* orthogonal
dimensions:  sensitivity, integrity, and availability.

After all, if you're going to through all your data and sticking a "sensitivity"
label on it, you may as well assess the integrity and availability requirements
as well.  You probably have data that is totally anti-sensitive, has fairly
high integrity requirements, and insane availability - for example, your
phone directory.  It's the opposite of sensitive, you can tolerate a *few*
errors in it, but if you suddenly lose it, your organization is in trouble.

Among other things, evaluating the other two dimensions will come in handy
if/when it comes time to review your disaster recovery plans - at that point,
you'll be wishing you had a good overview of what the availability requirements
for each piece of data is....

Attachment: _bin
Description: