Educause Security Discussion mailing list archives
Re: Data Classification
From: Brad Judy <brad.judy () CU EDU>
Date: Tue, 3 Sep 2019 14:58:54 +0000
While we aren’t a small school, we have a data governance policy (https://www.cu.edu/sites/default/files/6010.pdf) which establishes roles and responsibilities for data governance across our institutions. It’s described a bit on this webpage - https://www.cu.edu/ois/tools-and-services/data-governance The information security team created the initial three-tier data classification structure (https://www.cu.edu/ois/data-classifications-impact ) with discussion with stakeholders years ago. The data trustees/stewards in each area are then responsible for deciding the classification of their data within that guidance. While some things are fairly prescribed (like SSN and ePHI being highly confidential), there is a lot of room for people closer to the data (and related regulations) to determine the level of sensitivity. In the case of broad regulations, information security works with legal counsel to provide guidance to the data trustees about the impact to data classifications or other data decisions. Even at a small school, I like the idea of information security providing a structure that can be used by people closer to the data (within business/functional units) to classify their data. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" <jbole () STEVENSON EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, September 3, 2019 at 8:39 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Data Classification Some great examples of data classification policies. I’m wondering about the governing body for data classification? Do institutions have a governing body separate from information security? Or does infosec wear both hats, especially at small institutions? Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith Sent: Friday, August 30, 2019 3:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: Data Classification Hello, Our Standard and Guide are on-line: https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.ucop.edu%2Fpolicies%2Finstitutional-information-and-it-resource-classification.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453075915&sdata=eU1wEXNX4R1BrfDLZCTsCeB82UXShf42iBjKif%2BDMyI%3D&reserved=0> Have a delightful day, Robert Smith, CISSP, PMP University of California Office of the President (510) 587-6244 (o) robert.smith () ucop edu<mailto:robert.smith () ucop edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ullman, Catherine Sent: Friday, August 30, 2019 12:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Data Classification Hi Marty, Here is our data classification policy: http://www.buffalo.edu/administrative-services/policy1/ub-policy-lib/data-risk-classification.html<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.buffalo.edu%2Fadministrative-services%2Fpolicy1%2Fub-policy-lib%2Fdata-risk-classification.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453085912&sdata=IO%2BcVCXD530uf4LfXpW01RvZiYrzPZzlfjcMjkCusi8%3D&reserved=0> The chart found here: http://www.buffalo.edu/ubit/information-for-it-staff/information-security/minimum-security-standards.html<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.buffalo.edu%2Fubit%2Finformation-for-it-staff%2Finformation-security%2Fminimum-security-standards.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453095909&sdata=yqtjU%2B8UZx0Nh3nPLA4IuT5nwZSoRXYUkNpeAXCC16Q%3D&reserved=0> is meant to help clarify the risks for a variety of risks and provide some guidance on what needs to be done to secure the data. I hope that helps. Best, Cathy Dr. Catherine J Ullman Senior Information Security Analyst Information Security Office University at Buffalo cende () buffalo edu<mailto:cende () buffalo edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Marty Leidner Sent: Friday, August 30, 2019 2:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Data Classification Good Afternoon We at Rockefeller University are considering how to move forward with the elusive goal/initiative of data classification, and would like to see how others are addressing this. I would greatly appreciate if you could respond to this brief survey. I will be happy to share the results with anyone who is interested: 1. Do you have a data classification policy on your website or intranet? 2. Do you use any tools to enable your user community to classify their data? If so, which ones? These could be enterprise tools, or even basic tools that are built into other applications or platforms (e.g. Office365, Box, etc.) 3. Do you enforce this policy, or in any way require data to be classified? Thanks , and I wish everyone a wonderful labor day, Marty , Thank You, Marty Leidner, CISSP Chief Information Security Officer The Rockefeller University Information Security 212-327-7372 http://it.rockefeller.edu/information-security<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.rockefeller.edu%2Finformation-security&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453095909&sdata=%2BvN7G0dYcr0Rs6A9mIpdB4VkT2iMrGB8ymnDsh%2BhtGY%3D&reserved=0> Protector of the cyber realm ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453105902&sdata=oVUgNl9xI4Kh6rbk9fIgDBS%2FdGNm4u9%2B%2FG%2BX9Z1%2BOBI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453105902&sdata=oVUgNl9xI4Kh6rbk9fIgDBS%2FdGNm4u9%2B%2FG%2BX9Z1%2BOBI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453115898&sdata=sAIHfXu5gfNrCIqa668Hcz1hSF6gl9H2nM0Msoa7fcQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Data Classification, (continued)
- Re: Data Classification Ullman, Catherine (Aug 30)
- Re: Data Classification Robert Smith (Aug 30)
- Re: Data Classification Jim A. Bole (Sep 03)
- Re: Data Classification Barton, Robert W. (Sep 03)
- Re: Data Classification WALTER KERNER (Sep 03)
- Re: Data Classification Robert Smith (Aug 30)
- Re: Data Classification Ullman, Catherine (Aug 30)
- Re: Data Classification Telfer, Will (Aug 30)
- Re: Data Classification Ken Connelly (Aug 30)
- Re: [External] [SECURITY] Data Classification Gregg, Christopher S. (Sep 03)
- Re: Data Classification Williams, Matthew (wilmh) (Sep 03)
- Re: Data Classification Darren Morris (Sep 03)
- Re: Data Classification Brad Judy (Sep 03)