Re: Data Classification

[WALTER KERNER <Walter_kerner () FITNYC EDU>]

We’re about 10,000 FTE, part of a state system.  For us, Info sec
participates in data governance but we are not the overall owners.  That
role is in the application world since they know more about what data will
be used for, which systems are systems of record versus copies or
derivatives, etc.







Walter



Walter Kerner

Assistant Vice President and CISO

212 217 3415

[image: blue and black logo two lines png]



*From:* The EDUCAUSE Security Community Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jim A. Bole
*Sent:* Tuesday, September 03, 2019 10:40 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Data Classification



Some great examples of data classification policies.



I’m wondering about the governing body for data classification? Do
institutions have a governing body separate from information security? Or
does infosec wear both hats, especially at small institutions?



Jim Bole

Director of Information Security

*Stevenson University*

1525 Greenspring Valley Road

Stevenson, MD, 21153-0641

jbole () stevenson edu | O: 443-334-2696







*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Robert Smith
*Sent:* Friday, August 30, 2019 3:41 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: Data Classification



Hello,



Our Standard and Guide are on-line:

https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.ucop.edu%2Fpolicies%2Finstitutional-information-and-it-resource-classification.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453075915&sdata=eU1wEXNX4R1BrfDLZCTsCeB82UXShf42iBjKif%2BDMyI%3D&reserved=0>



*Have a delightful day,*

Robert Smith, CISSP, PMP

*University of California Office of the President*

(510) 587-6244 (o)

robert.smith () ucop edu





*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Ullman, Catherine
*Sent:* Friday, August 30, 2019 12:26 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Data Classification



Hi Marty,



Here is our data classification policy:



http://www.buffalo.edu/administrative-services/policy1/ub-policy-lib/data-risk-classification.html
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.buffalo.edu%2Fadministrative-services%2Fpolicy1%2Fub-policy-lib%2Fdata-risk-classification.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453085912&sdata=IO%2BcVCXD530uf4LfXpW01RvZiYrzPZzlfjcMjkCusi8%3D&reserved=0>



The chart found here:
http://www.buffalo.edu/ubit/information-for-it-staff/information-security/minimum-security-standards.html
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.buffalo.edu%2Fubit%2Finformation-for-it-staff%2Finformation-security%2Fminimum-security-standards.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453095909&sdata=yqtjU%2B8UZx0Nh3nPLA4IuT5nwZSoRXYUkNpeAXCC16Q%3D&reserved=0>
is meant to help clarify the risks for a variety of risks and provide some
guidance on what needs to be done to secure the data.



I hope that helps.



Best,

Cathy





Dr. Catherine J Ullman

Senior Information Security Analyst

Information Security Office

University at Buffalo

cende () buffalo edu







*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Marty Leidner
*Sent:* Friday, August 30, 2019 2:50 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Data Classification



Good Afternoon



We at Rockefeller University are considering how to move forward with the
elusive goal/initiative of data classification, and would like to see how
others are addressing this. I would greatly appreciate if you could respond
to this brief survey. I will be happy to share the results with anyone who
is interested:



 1. Do you have a data classification policy on your website or intranet?

 2. Do you use any tools to enable your user community to classify their
data? If so, which ones? These could be enterprise tools, or even basic
tools that are built into other applications or platforms (e.g. Office365,
Box, etc.) 3. Do you enforce this policy, or in any way require data to be
classified?



Thanks , and I wish everyone a wonderful labor day,

Marty

,



Thank You,



Marty Leidner,  CISSP

Chief Information Security Officer

The Rockefeller University

Information Security

212-327-7372

http://it.rockefeller.edu/information-security
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.rockefeller.edu%2Finformation-security&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453095909&sdata=%2BvN7G0dYcr0Rs6A9mIpdB4VkT2iMrGB8ymnDsh%2BhtGY%3D&reserved=0>

Protector of the cyber realm







**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453105902&sdata=oVUgNl9xI4Kh6rbk9fIgDBS%2FdGNm4u9%2B%2FG%2BX9Z1%2BOBI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453105902&sdata=oVUgNl9xI4Kh6rbk9fIgDBS%2FdGNm4u9%2B%2FG%2BX9Z1%2BOBI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453115898&sdata=sAIHfXu5gfNrCIqa668Hcz1hSF6gl9H2nM0Msoa7fcQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community