Re: Security of Research Data

["Howell, Paul" <grue () UMICH EDU>]

Does your campus community intuitively understand the labels
"Confidential, Sensitive and Public", and what research (or other) data
fit into each category?

We've been using similar labels for a few years and still encounter
difficulties communicating the security around terms such as
"Confidential" & "Sensitive".  A common question is which one is higher?
We reverse the order here, "Sensitive, then Private/Confidential, then
Public", for example.

I wish that there were generally recognized labels that we could all use
and that were intuitive to the community.


< paul


> -----Original Message-----
> From: Steve Brukbacher [mailto:sab2 () UWM EDU] 
> Sent: Friday, September 01, 2006 6:31 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security of Research Data
>
> We're encouraging people to think in terms of data classification, 
> regardless of whether it is research data or HR data or any other 
> source.  We have a high-level information security policy pending 
> approval. Underneath that will be a data classification 
> policy, system 
> config guidelines, etc.
>
> In our proposed data classification guidelines, we state that 
> research 
> data should be considered sensitive data if it does not fall 
> in to the 
> higher category of confidential (based on a 3-tiered classification 
> scheme, (Confidential, Sensitive and Public).
>
> We've also implemented a file share program, Xythos to allow 
> researchers 
>    to share information in a manner that is safer than 
> sending thing in 
> email attachments or opening up an FTP port on a departmental 
> machine or 
> email an unencrypted CD through the mail.  It allows users granular 
> control over what UWM users can access what folders/files and related 
> permissions.  It also allows for the creation of tickets or 
> web links to 
> documents.  While this gives whoever knows the link access to 
> the file, 
> it can also be password protected.  As you might imagine, good user 
> training will be key here.
>
> We're working on developing requirements for laptop encryption apps 
> (preferably whole hard drive) as well and hope to have something 
> available to our users in the near future. We've seen an 
> increase in the 
> number of research programs going mobile, so we are 
> responding to that 
> increased risk.
>
>
> -- 
> Steve Brukbacher, CISSP
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> Crawford, Tim M. wrote:
> > I'm curious to know what strategies others use to address 
> research data. 
> > Is this something that you're addressing today? If so, how do you 
> > identify and protect accordingly?
> >  
> > Regards,
> >  
> > Tim
> >  
> > ______________________________________
> > /Tim M. Crawford/
> > /Associate Director, IT Operations/
> > /Stanford Graduate School of Business/
> > /650.724.2447/
> > /tcrawford () gsb stanford edu/ 
> <blocked::mailto:tcrawford () gsb stanford edu>
> >