Main Nav

Does anyone have a really swell methodology for developing a data classification standard that engages the University population, e.g., faculty, researchers, and administrators?

 

Debra E. Dandridge, Ph.D., CISA

Lead IT Policy  Analyst

Information Technology Risk Management

Texas A&M University

College Station, TX  77843-3472

(979) 862-2601

ddandridge@tamu.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
smime.p7s5.83 KB

Comments

I recommend the use of kevlar-based body armor. Also asbestos.

Geoff

PS If you find something, please let the rest of us know.

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

From: "Debra Dandridge" <ddandridge@TAMU.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Monday, April 23, 2012 10:11:53 AM
Subject: [POLICY-DISCUSSION] Data classification

Does anyone have a really swell methodology for developing a data classification standard that engages the University population, e.g., faculty, researchers, and administrators?

 

Debra E. Dandridge, Ph.D., CISA

Lead IT Policy  Analyst

Information Technology Risk Management

Texas A&M University

College Station, TX  77843-3472

(979) 862-2601

ddandridge@tamu.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

At Creighton, we developed our policy and standards in a vacuum and then shopped it around campus for comments and input. I don't know if this is the most efficient method of development but it gets done and allowed for the policy group to set the tone initially. We have had very little alteration from our original but it does take time for everyone to review.  

Bryan McLaughlin
Information Security Officer
Creighton University 

Personally, I like to include those emergency fire shelters they use for forest fire work…..

We have a standard we are happy to share, although I make no claims as to its ability to engage any segment of the population.  I'd be glad to discuss if it would be helpful.

Judy


Judith F. House
Associate University Information Security Officer
Georgetown University 
3300 Whitehaven St., NW #2000
Washington, DC 20007
Office:  202-687-6031
Cell:  202-230-2504





I'm afraid we're not much better. We tried the top down method but did not get very far. So we resorted to the grass roots effort and built a policy and shopped it around. That is in the process of being approved, but it seems to have been much more successful in our environment. Our approval process involves the various constituent groups you mention and having something to react to tends to produce quicker and more actionable feedback. ~Jeff Jeff Durfee Director, IT Security University of North Florida jdurfee@unf.edu (904) 620-2820 -----Original Message----- From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Judith House Sent: Monday, April 23, 2012 10:41 AM To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU Subject: Re: [POLICY-DISCUSSION] Data classification Personally, I like to include those emergency fire shelters they use for forest fire work..... We have a standard we are happy to share, although I make no claims as to its ability to engage any segment of the population. I'd be glad to discuss if it would be helpful. Judy Judith F. House Associate University Information Security Officer Georgetown University 3300 Whitehaven St., NW #2000 Washington, DC 20007 housej@georgetown.edu Office: 202-687-6031 Cell: 202-230-2504

 

Hi Debra,

 

EDUCAUSE has a few Data Classification resources that may be of use to you.

 

Data Classification Toolkit – It’s purpose is to compile resources pertaining to data classification in higher education. Although data classification is just one component of a comprehensive program to protect data, it is an important foundation

https://wiki.internet2.edu/confluence/display/itsg2/Data+Classification+Toolkit

 

And the general subject of Data Classification Policies http://www.educause.edu/Resources/Browse/Data%20Classification%20Policies/33402 includes publications, policies and presentations.

Please let me know if you have any questions, thank you.

Colleen Keller
Electronic Resources Librarian

  Uncommon Thinking for the Common Good

282 Century Place, Suite 5000, Louisville, CO 80027

Ph: (303) 939-0309 / Email: Ckeller@educause.edu / Twitter: @EDUCAUSElibrary

 

I suspect methodology will vary a fair bit from school to school depending on organizational structure and political environment. Our approach was similar to what others have noted in this thread - take our best guess at classification and shop it around to those we believed to be the key stakeholders. That best guess was based on a lot of prior work by other schools, much of which is publicly available. The end product did not vary significantly from our initial draft. I think data classification is one of those areas where the 80/20 rule holds strongly - that is, you can come up with something to handle the major data types which are common throughout your organization with a reasonable amount of effort, but developing something which specifically addresses the requirements of every possible grant and research project would likely prove much more difficult. One thing we did to keep the classification system practical was to develop the security standards (now called measures) we were going to attach to the various classifications in tandem with the classification system itself, which helped us spot areas where we had misclassified a data element. For example we wouldn't classify anything as Restricted unless we were ready to commit to storage and transit encryption for that data type. That helped us combat the "I swear, my data really is that important!" issue which over time can lead to a system weighted so heavily toward the most restrictive classification that it becomes meaningless. For what it's worth Dan Adinolfi (Cornell), Chris Misra (UMass), and I presented on this topic a few years ago at the Educause Security Professionals Conference - you can review our presentations here: http://www.educause.edu/Resources/SecurityStandardsComplexityIst/162968 Dan's had the most gory details on methodology and by far the best title: "Making Sausage at Cornell University". NYU's Data Classification Table and associated Security Measures can be found at: http://www.nyu.edu/its/policies/sec_ref.html http://www.nyu.edu/its/policies/sec_datasys.html I'm happy to provide more details on our process offline if you like. Cheers, Brian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney            Project Lead ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I don't know that ours is particularly swell, but it does work.  It is documented here, as our data classification standards were developed into policy:  http://www.oakland.edu/uts/policies#governance

We met with all the committees described in the Governance document, with the purpose to just get input.  Then I drafted the policy.  Then I took it back to all the committees.  In general, our policy flow follows:

The governance process requires that the appropriate advisory committee first review and update the drafted policy. The policy approval process then flows:
  • University Senate Academic Computing Committee
  • Academic Council
  • Administrative Council with review by General Counsel
  • Academic Council, final read
  • President's Council, final approval
Theresa

I think ours is swell. It consistes of 3 simple levels with relevant examples and references to applicable regulation. 


Nathan

The actual policy has worked well for us and is at http://www.oakland.edu/policies/860/

Many thanks to everyone who responded about Data Classification.  All the responses were very helpful!

 

Debra

Texas A&M University

College Station, TX  77843-3472

(979) 862-2601

ddandridge@tamu.edu

 

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

We have not done any formal data classification.

I don’t think username is especially sensitive.

But…

It is my opinion that nothing external should need or use a person’s username.  If there is a choice I would not give it out or publish it in any way.  It is not ideal for display as it is typically not a full name or properly capitalized.  It is not ideal as an identifier as usernames tend to be subject to some expected amount of change due to name changes etc.  It could also be argued that username is sensitive with respect to security.

I would treat it as restricted data when possible.

 

John Baines, of N.C. State Security & Compliance, is working on an extensive data sensitivity framework. He has not published it online but you can contact him at john_baines@ncsu.edu


We’re working on finalizing our data classification policy currently in revision 3.    While ID numbers are considered highly sensitive data our  usernames are part of our email addresses therefore easily accessible.    

 

David Ludwig

Manager of Administrative Systems

Library & Information Systems Middlebury Colleg

 

NYU's data classification is at: http://www.nyu.edu/its/policies/sec_ref.html

- Gary


I was wondering if any schools have created a data classification policy and if so is it published online.   One specific piece of information I would like to know about is how you may classify a person’s username.  Would you give that out to anyone or would anyone be able to find it publically or is it treated as more restricted data.

 

Thanks,

Paul Hodgdon

UNH Accounts Manager


Do you know if he intends on publishing it at some point?   I would hate to inundate him with requests if there is a plan for releasing it soon.


Dalhousie has the following Data Classification Schema published on our web site:

Anette Petersen
Project Manger

On 2013-02-07, at 12:55 PM, "Hodgdon, Paul" <Paul.Hodgdon@UNH.EDU> wrote:

I was wondering if any schools have created a data classification policy and if so is it published online.   One specific piece of information I would like to know about is how you may classify a person’s username.  Would you give that out to anyone or would anyone be able to find it publically or is it treated as more restricted data.

 

Thanks,

Paul Hodgdon

UNH Accounts Manager

The New School's data classification is here:


Username is part of the email address (in our case), and is therefore considered unrestricted ("public", essentially) information.


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



Yes, at some point he will publish but I'm not sure when. He might be willing to share the current iteration by request.

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.