Educause Security Discussion mailing list archives
Re: Data Classification: Legal criteria
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Tue, 18 Mar 2008 15:10:00 -0400
Basgen, Brian wrote:
We are in the process of developing a data classification policy with three types: public, internal, and confidential. The criteria or logic behind classifying confidential data is fairly easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain data types. Yet, I am not clear on the best external criteria to use for classification of internal data. Peer institutions, "best practices" is one thought, but I'm wondering what other objective criteria people have employed for the justification of making certain kinds of data internal as opposed to public. Let me know, thanks.
We are in the process of revamping our classification scheme as well. Our approach (pending approval of course) will be to classify regulated data and leave everything else up to the data owner to classify. FIPS 199 with some guidelines on mapping it to your classification scheme can be used to help data owners make the decision for themselves. Some Universities have adopted the practice of assigning a default classification (e.g. Internal Use Only) to non-regulated data that has not been formally classified by its respective data owner. I'm pushing for a similar practice here.
Current thread:
- Data Classification: Legal criteria Basgen, Brian (Mar 18)
- <Possible follow-ups>
- Re: Data Classification: Legal criteria Chris Gauthier (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Doug Markiewicz (Mar 18)
- Re: Data Classification: Legal criteria Bill Badertscher (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Sherry, Cathy (Mar 18)
- Re: Data Classification: Legal criteria Brad Judy (Mar 18)
- Re: Data Classification: Legal criteria Gary Dobbins (Mar 18)
- Re: Data Classification: Legal criteria Ozzie Paez (Mar 18)
- Re: Data Classification: Legal criteria Valdis Kletnieks (Mar 18)
- Re: Data Classification: Legal criteria Ced Bennett (Mar 19)