Educause Security Discussion mailing list archives

Re: Data Classification and Storage Environments

From: "SCHALIP, MICHAEL" <mschalip () CNM EDU>
Date: Mon, 6 Feb 2012 12:51:42 -0700

Sorry.....but, to me that sounds like too much of a shotgun approach.  I'd be hard pressed to equate the lunch menu 
from the cafeteria to someone's social security number on a form.  I've always felt that there has to be some varying 
levels of protection, but mixed in with some sense of reality and commonsense.....protecting data usually comes back to 
having a clear definition of your protections required on specific data classifications - and making sure that the 
users are clear on what those definitions mean to them and their business unit - and then giving them the technological 
means of meeting your policy requirements....

Protect the SSN.....don't worry about the lunch menu.....;-)

Just my $.02.....

M

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert 
Meyers
Sent: Monday, February 06, 2012 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Data Classification and Storage Environments

I've heard the argument two ways:

1) Attempting to secure ALL data at the same high level is futile, and
2) Applying different levels of security to different data classifications leaves high security data open to disclosure 
if incorrectly classified, or provides an unexpected back door to climb upwards in the system.

In my personal opinion, lock it all down at the highest security level and sleep better at night.

Bob




Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>

On Monday, February 06, 2012 at 2:15 PM, "McLaughlin, Bryan S." <bmclaughlin () CREIGHTON EDU<mailto:bmclaughlin () 
CREIGHTON EDU>> wrote:

We have a single SAN environment where all data is co-mingled.  I am wondering how many other Universities have taken 
steps to separate their data logically or physically so addition security can be added to data with higher sensitivity 
ratings?  I would be interested in learning what others have implemented to apply appropriate data handling procedures 
to their data at rest.

Thanks,

Bryan McLaughlin
Information Security Officer
Creighton University
bmclaughlin () creighton edu<mailto:bmclaughlin () creighton edu>

Security Tip: No matter how authentic the request appears, if you are asked in an email or via the phone to provide 
your password - it is a SCAM.



--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Current thread:

Data Classification and Storage Environments McLaughlin, Bryan S. (Feb 06)
- Re: Data Classification and Storage Environments Robert Meyers (Feb 06)
  - Re: Data Classification and Storage Environments SCHALIP, MICHAEL (Feb 06)