Educause Security Discussion mailing list archives

Risk-based approach to applying security controls to PII based on sensitivity and quantity

From: "Carson, Larry" <larry.carson () UBC CA>
Date: Thu, 9 Jan 2014 18:27:53 +0000

We are currently undertaking a major initiative to enhance our existing
information security standards which will enable us to further align them
with ISO 27005 and integrate additional security requirements which we feel
reflect the current and foreseeable security risk landscape for the
University and the higher education sector in general.

 

To facilitate a risk-based approach and ensure reasonable controls are
required in the UBC standards, we have created a data classification scheme
which comprises confidential, sensitive and public categories. Our legally
protected personal information currently all falls under the confidential
category, along with the PCI regulated data.  This category has the highest
level of control requirements, which corresponds well to the Internet2 &
HEISC Information Security Guide. 

 

One of the key challenges we are facing is ensuring that 'reasonable
security measures' are implemented and given that there is a significant
range of risk for different types of personal information (e.g. personal
health information and employee SIN numbers could result in greater adverse
consequences if stolen than a list of student names and numbers).
Therefore, we are trying to figure out the best way to further embed a risk
based approach into protecting this personal information based on its
sensitivity and quantity.  We are considering approaches that include
applying a reasonable test to personal information so that if it is a small
amount or of lower sensitivity then less control would be required -  but
the practicality of embedding this into the standards in a simple user
friendly manner is not so straightforward.

 

Therefore, we are hoping to hear from those of us who have also been
challenged with these issues and have figured out a workable solution.

 

 

 

Larry

 

---

Larry Carson

Associate Director, Information Security Management

Information Technology | Engage. Envision. Enable.

The University of British Columbia

Tel: 604.822.0773 | Twitter: @L4rryC4rson

Attachment: smime.p7s
Description:

Current thread:

Risk-based approach to applying security controls to PII based on sensitivity and quantity Carson, Larry (Jan 09)