Data Classification Toolkit
Purpose
To compile resources pertaining to data classification in higher education. Although data classification is just one component of a comprehensive program to protect data, it is an important foundation. This Toolkit consolidates resources from the EDUCAUSE web site as well as from other sources, and organizes them into five basic steps.
Introduction
Data are some of the most valuable assets any institution of higher education owns, and, as is in the case with all valuable assets, they need to be protected accordingly. What constitutes "accordingly" is mostly driven by legal, academic, financial and operational requirements and is based on the criticality and risk levels of the data. Protecting data assets while supporting academic, medical and research missions that require collaborative work and the open sharing of knowledge can be a difficult balancing act. One of the most important steps in protecting data appropriately is to determine classification levels for the data, and then to proceed with the actual classification of all of your valuable data assets.
The objective of the Data Classification Toolkit is to provide a body of information, resources, and guidance that can assist higher education officials in addressing the following questions regarding classifying data:
- Need: Why is it necessary or mandatory to classify data?
- Roles: Who should classify what data?
- Methods: How should data be classified?
- Are there any best (or common) practices available?
- Impact: What processes are dependent or impacted by data classification?
Steps
- Step1: Determine the need and/or requirements for data classification
- Step2: Determine the roles involved in data classification
- Step3: Determine your institution's classification levels
- Step4: Determine the methodology and procedures for classifying data
- Step5: Determine and review other information security processes impacted by data classification
Step 1: Determine the need and/or requirements for data classification
Sub-Step |
Tips |
Resource |
Resource Type |
---|---|---|---|
1.1 There are laws, regulations, rules, or policies (federal, state and/or institutional) that require classification of data. |
|
|
|
|
|
Government |
|
|
|
Government |
|
|
|
Government |
|
|
|
Government |
|
b. There are probably State laws with regard to personal information, such as SSN, which, if compromised, would lead to consumer notification; there may also be rules regarding performance of periodic risk assessments, and the protection of such data accordingly. |
|
|
|
|
|
Government |
|
|
|
Government |
|
|
|
State of New York Information Security Breach and Notification Act |
Government |
|
|
Government |
|
c. These might be Institutional policies. |
|
|
|
1.2 In higher education institutions, where data stewardship is usually decentralized and where data is held by autonomous units, more guidance is needed than would be in an organization where data is completely centrally held and controlled. |
Policies and guidelines need to be very clearly worded for very different populations. For example: Faculty members and colleges may hold student grades. Researchers, who typically work with their own data and equipment, may need to meet information security requirements from granting agencies. In addition, data classification applies to all data at the institution, including not only centrally collected and managed data, but also data collected and managed within schools and departments. |
Higher Education |
|
1.3 Data classification assists in risk management. |
Risk assessments help organizations and/or departments determine the levels of security needed to safeguard their data appropriately and the best way to allocate scarce budget and staff resources. Almost no organization can afford to apply the highest levels of security to all data. Although risk assessment can be performed without formal data classification, formally classifying data enables organizations to prioritize which systems receive the most security resources, and thus manage risk appropriately. |
IT Risk Register, Phase 0: Strategic Risk Assessment Planning |
EDUCAUSE |
Top of page
Step 2: Determine the roles involved in data classification
Sub-Step |
Tips |
Resource |
Resource Type |
---|---|---|---|
2.1 A number of terms are used to define the various roles and responsibilities. |
It is common for people to assume that since IT manages the system, IT owns the data, but this is dangerous since IT is not responsible for the function that uses the data. However, it can be difficult to get the appropriate owners to take on the responsibility. |
|
|
a. At the governance level, terms such as "Data Trustee," "Data Steward," or "Data Owner" are common. |
Start by asking these questions: |
EDUCAUSE |
|
|
|
Presentation: Who Owns the Data Anyway? Defining Data Stewardship |
EDUCAUSE |
|
|
Higher Education |
|
|
|
Higher Education |
|
b. At the management level, terms such as "Data Custodian" are common. |
These are the persons who are responsible for implementing the controls the owner identifies. Many places now distinguish between the Dean/Director/AVP who is ultimately responsible for the data and the person who supervises the data entry personnel (and is thus quite a bit lower down the hierarchy). |
Cornell University: Policy 4.12 Data Stewardship and Custodianship |
Higher Education |
c. At the operational level, terms such as "Data Custodian" or "Data User" are common. |
Identify those who actually "touch" the data (enter, delete, even read). |
Higher Education} |
Top of page
Step 3: Determine your institution's classification levels
Sub-Step |
Tips |
Resource |
Resource Type |
---|---|---|---|
3.1 Typically a number of "data classification levels" are identified by the institution. |
Keep it as simple as possible - don't create any more levels than you have to. Each level should be differentiated from the other by the different actions required to appropriately handle the data. |
Data Classification, Security, and Compliance: Helping Users Help Themselves (University of Michigan) |
Higher Education |
a. The levels are given appropriate names and definitions, and then each data element is classified into the proper level. Universities differ on how many levels are defined, although the most common number is three, four, or five. |
Use names that are very clear to users, for example, "restricted" and "sensitive" are very similar terms and would cause confusion if used for a medium and high level, respectively. Keep the highest level very high, because this level will cost a lot to secure. |
Higher Education |
|
|
|
The Ohio State University Data Element Classification Assignments |
Higher Education |
|
|
Stanford Data Classification, Access, Transmittal, and Storage Guidelines and Chart |
Higher Education |
|
|
Higher Education |
|
3.2 Check for state statutes that may already define some or all levels for you, and what words to use to describe the levels. State guidelines will most likely apply to state schools. |
|
Government |
|
3.3 Check for recognized standards that may already define some or all levels for you, and what words to use to describe the levels. |
|
FIPS 199: Standards for Security Categorization of Federal Information and Information Systems |
Government |
3.4 Consider using Confidentiality, Integrity, and Availability (CIA) as criteria to classify data. |
|
Presentation: Data Classification and Privacy: A Foundation for Compliance |
Higher Education |
Top of page
Step 4: Determine the methodology and procedures for classifying data
Sub-Step |
Tips |
Resource |
Resource Type |
---|---|---|---|
4.1 How will you get started on your classification activities? |
This appears to be a huge project, if you consider all the data elements collected and used by a higher education institution. Institutions have used a number of techniques to make the task more manageable. |
Speaking the Same Language: Building a Data Governance Program for Institutional Impact (University of Notre Dame) |
Higher Education |
a. Establish a project team and start with a select few data areas. |
Many institutions start with centrally-held administrative data. Those who are responsible for establishing and maintaining appropriate data classification levels for centrally-held data are trained in how to do so; experience is gained with that project; and then this team provides training and guidance subsequently to each data owner to use for all other types of data elements, both centrally managed and managed within decentralized units. Note: Special projects can be planned to address research data, institutional data NOT in central control, and personal data held by staff such as contact data. |
Strategic Risk Management at California State University, Channel Islands |
Higher Education |
b. Assign a default classification |
Data Classification Policy could state that all data is classified at a particular level as the default. Then, only data that falls outside of this default level needs to be formally classified. |
Higher Education |
|
c. Provide basic policy and procedure documents and tools, and ask each data owner to work independently. |
|
Carnegie Mellon University: Guidelines for Data Classification |
Higher Education |
Top of page
Step 5: Determine and review other information security processes impacted by data classification
Once you are done creating your classification scheme, what comes next? Data classification is usually one of the first steps in a long progression of activities to safeguard your data. The list below provides a checklist of other information security processes that may be impacted by data classification activities, but it does not attempt to provide full information on each of these other processes.
Sub-Step |
Tips |
Resource |
Resource Type |
---|---|---|---|
5.1 Access Management |
Determining who can access the data, and what they can do with it. |
EDUCAUSE |
|
5.2 Physical Security |
|
EDUCAUSE |
|
5.3 Risk Assessment |
|
EDUCAUSE |
|
5.4 Change Management Requirements |
|
Higher Education |
|
5.5 Training |
|
EDUCAUSE |
|
|
|
Higher Education |
|
5.6 Need for Policy and Procedures |
|
EDUCAUSE |
|
5.7 Need for Encryption |
Determining how data is appropriately secured both while at rest (in storage) and in transmission. |
EDUCAUSE |
|
5.8 Records Retention |
Determining how long each type of data should be stored. |
Higher Education |
|
5.9 Data Incident Handling and Response |
Determining what happens if/when data is lost, stolen, or compromised. |
Confidential Data Handling Blueprint |
EDUCAUSE |
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).