Educause Security Discussion mailing list archives
Risk-based approach to applying security controls to PII based on sensitivity and quantity
From: "Carson, Larry" <larry.carson () UBC CA>
Date: Thu, 9 Jan 2014 18:27:53 +0000
We are currently undertaking a major initiative to enhance our existing information security standards which will enable us to further align them with ISO 27005 and integrate additional security requirements which we feel reflect the current and foreseeable security risk landscape for the University and the higher education sector in general. To facilitate a risk-based approach and ensure reasonable controls are required in the UBC standards, we have created a data classification scheme which comprises confidential, sensitive and public categories. Our legally protected personal information currently all falls under the confidential category, along with the PCI regulated data. This category has the highest level of control requirements, which corresponds well to the Internet2 & HEISC Information Security Guide. One of the key challenges we are facing is ensuring that 'reasonable security measures' are implemented and given that there is a significant range of risk for different types of personal information (e.g. personal health information and employee SIN numbers could result in greater adverse consequences if stolen than a list of student names and numbers). Therefore, we are trying to figure out the best way to further embed a risk based approach into protecting this personal information based on its sensitivity and quantity. We are considering approaches that include applying a reasonable test to personal information so that if it is a small amount or of lower sensitivity then less control would be required - but the practicality of embedding this into the standards in a simple user friendly manner is not so straightforward. Therefore, we are hoping to hear from those of us who have also been challenged with these issues and have figured out a workable solution. Larry --- Larry Carson Associate Director, Information Security Management Information Technology | Engage. Envision. Enable. The University of British Columbia Tel: 604.822.0773 | Twitter: @L4rryC4rson
Attachment:
smime.p7s
Description:
Current thread:
- Risk-based approach to applying security controls to PII based on sensitivity and quantity Carson, Larry (Jan 09)