Re: Minimum Control Sets for Data Classifications

["Everett, Alex D" <alex.everett () UNC EDU>]

Martin:

Please see the link below.
We have basically two classifications: data that must be protected, and all other data.
There are minimum sets of controls for systems on our network.
The protected systems have a greater set of controls to meet.

http://its.unc.edu/ccm/groups/public/@its/documents/content/ccm1_033440.pdf

Sincerely,

Alex Everett, CISSP, CCNA
University of North Carolina
Chapel Hill

On Feb 23, 2012, at 11:54 AM, Martin Manjak wrote:

> Those of you who have implemented a data or asset classification schema,
> do you also have minimum control sets (admin, physical, technical) that
> are tied to each category of data?
>
> For example, if the data handled is categorized as "highly sensitive,"
> "confidential," or whatever label you've assigned to the data that
> presents the highest institutional risk, is there a minimum set of
> controls that have to be in place in the offices or business/academic
> units that routinely use this type of information?
>
> And if the answer is yes, would mind replying with a reference to those
> controls?
>
> Marty
> -- 
>
> Martin Manjak
> CISSP, GIAC GSEC-G
> Information Security Officer
> University at Albany
> MSC 209 518/437-3813
>
> The University at Albany will never ask you to reveal your password.
> Please ignore all such requests.

Sincerely,

Alex Everett, CISSP, CCNA
Information Security Office
University of North Carolina at Chapel Hill
919.445.9393