Re: Data Classification: Legal criteria

["Sherry, Cathy" <csherry () UMASSP EDU>]

The University of Massachusetts uses:


*       Unclassified - data that does not fall into any of the other
data classifications noted below. This data may be made generally
available without specific data custodian approval. 

*       Operational Use Only - data whose loss, corruption or
unauthorized disclosure would not necessarily result in any business,
financial or legal loss BUT which the University had determined is
critical to its business and requires a higher degree of handling than
unclassified data.  Access to Operational Use Only data is available to
data custodian approved users only. 

*       Confidential - data whose loss, corruption or unauthorized
disclosure would be a violation of federal or state laws/regulations or
University contracts (i.e., protected data); personally identifiable
data; data that involves issues of personal privacy; or data whose loss,
corruption or unauthorized disclosure may impair the academic, research
or business functions of the University, or result in any business,
financial, or legal loss. 

We recently collapsed 5 classifications into the three noted above.
Private and Restricted classifications were dropped because these types
of records were handled like Confidential records so there was no need
for differentiation.  

The University also includes personally identifiable information (as
defined by the recently passed Massachusetts General Law 93H addressing
notice of a data security breach)and protected information as
Confidential.  They are defined as:

Personally Identifiable Information (i.e., PII) is assigned a security
classification of CONFIDENTIAL and includes University data whose loss,
corruption or unauthorized disclosure would be a violation of federal or
state laws/regulations or University contracts.  PII includes, but is
not limited to:

*       An individual's first name and last name or first initial and
last name in combination with one or more of the following data
elements: social security number, driver's license number or
state-identification card number, or financial account number, or credit
or debit card number, with or without any required security code, access
code, personally identifiable identification number or password, that
would permit access to a resident's financial account.  (Massachusetts
Law Chapter 93H)

*       Individually identifiable health information (i.e., information
relating to past, present or future physical or mental health or
condition of an individual; provision of healthcare to an individual or
payment for the provision of healthcare to an individual; Individually
identifiable health information may include, but is not limited to:
name, telephone/fax number, email address, social security number,
driver's license number, internet address or any other unique
identifying number, characteristic or code).  Some, but not all, health
information is protected under the Health Insurance Portability and
Accountability Act of 1996 (i.e., HIPAA)

*       Student education records not defined as student "directory
information" (e.g., student number, grades, courses taken, etc.) by the
University and its Campuses are protected under the Family Educational
Rights and Privacy Act (i.e., FERPA).

*       "Customer" records such as names, addresses, phone numbers, bank
and credit card account numbers, credit histories, or social security
numbers as they related to student financial aid information are
protected under the Graham Leach Bliley Act of 1999 (i.e., GLB).

Protected Information is assigned a security classification of
CONFIDENTIAL and includes University data whose disclosure would not
result in any business, financial or legal loss BUT involves issues of
personally identifiable credibility, reputation, or other issues of
personally identifiable privacy.  The security and protection of this
data is dictated by a desire to maintain staff and student privacy.
Protected data includes an individual's first name or initial and last
name in combination with one or more of the following data elements:
their birth date, mother's maiden name, state employee salary, employee
identification number, electronic signature, fingerprint, photograph or
computerized image, physical characteristics or description, or passport
number.

:: Catherine Sherry, CISSP, CISA - Principal Security Specialist
:: University Information Technology Services (UITS)
:: University of Massachusetts President's Office       
:: 508-856-1547
:: 508-856-4844 Fax
:: csherry () umassp edu

University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA
01545 : www.massachusetts.edu   


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, March 18, 2008 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Classification: Legal criteria

 We are in the process of developing a data classification policy with
three
types: public, internal, and confidential.

 The criteria or logic behind classifying confidential data is fairly
easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
data
types. Yet, I am not clear on the best external criteria to use for
classification of internal data. Peer institutions, "best practices" is
one
thought, but I'm wondering what other objective criteria people have
employed for the justification of making certain kinds of data internal
as
opposed to public. Let me know, thanks.  

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College