Educause Security Discussion mailing list archives
Re: Data Classification: Legal criteria
From: "Sherry, Cathy" <csherry () UMASSP EDU>
Date: Tue, 18 Mar 2008 16:53:17 -0400
The University of Massachusetts uses: * Unclassified - data that does not fall into any of the other data classifications noted below. This data may be made generally available without specific data custodian approval. * Operational Use Only - data whose loss, corruption or unauthorized disclosure would not necessarily result in any business, financial or legal loss BUT which the University had determined is critical to its business and requires a higher degree of handling than unclassified data. Access to Operational Use Only data is available to data custodian approved users only. * Confidential - data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws/regulations or University contracts (i.e., protected data); personally identifiable data; data that involves issues of personal privacy; or data whose loss, corruption or unauthorized disclosure may impair the academic, research or business functions of the University, or result in any business, financial, or legal loss. We recently collapsed 5 classifications into the three noted above. Private and Restricted classifications were dropped because these types of records were handled like Confidential records so there was no need for differentiation. The University also includes personally identifiable information (as defined by the recently passed Massachusetts General Law 93H addressing notice of a data security breach)and protected information as Confidential. They are defined as: Personally Identifiable Information (i.e., PII) is assigned a security classification of CONFIDENTIAL and includes University data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws/regulations or University contracts. PII includes, but is not limited to: * An individual's first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver's license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident's financial account. (Massachusetts Law Chapter 93H) * Individually identifiable health information (i.e., information relating to past, present or future physical or mental health or condition of an individual; provision of healthcare to an individual or payment for the provision of healthcare to an individual; Individually identifiable health information may include, but is not limited to: name, telephone/fax number, email address, social security number, driver's license number, internet address or any other unique identifying number, characteristic or code). Some, but not all, health information is protected under the Health Insurance Portability and Accountability Act of 1996 (i.e., HIPAA) * Student education records not defined as student "directory information" (e.g., student number, grades, courses taken, etc.) by the University and its Campuses are protected under the Family Educational Rights and Privacy Act (i.e., FERPA). * "Customer" records such as names, addresses, phone numbers, bank and credit card account numbers, credit histories, or social security numbers as they related to student financial aid information are protected under the Graham Leach Bliley Act of 1999 (i.e., GLB). Protected Information is assigned a security classification of CONFIDENTIAL and includes University data whose disclosure would not result in any business, financial or legal loss BUT involves issues of personally identifiable credibility, reputation, or other issues of personally identifiable privacy. The security and protection of this data is dictated by a desire to maintain staff and student privacy. Protected data includes an individual's first name or initial and last name in combination with one or more of the following data elements: their birth date, mother's maiden name, state employee salary, employee identification number, electronic signature, fingerprint, photograph or computerized image, physical characteristics or description, or passport number. :: Catherine Sherry, CISSP, CISA - Principal Security Specialist :: University Information Technology Services (UITS) :: University of Massachusetts President's Office :: 508-856-1547 :: 508-856-4844 Fax :: csherry () umassp edu University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA 01545 : www.massachusetts.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Tuesday, March 18, 2008 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data Classification: Legal criteria We are in the process of developing a data classification policy with three types: public, internal, and confidential. The criteria or logic behind classifying confidential data is fairly easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain data types. Yet, I am not clear on the best external criteria to use for classification of internal data. Peer institutions, "best practices" is one thought, but I'm wondering what other objective criteria people have employed for the justification of making certain kinds of data internal as opposed to public. Let me know, thanks. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Data Classification: Legal criteria Basgen, Brian (Mar 18)
- <Possible follow-ups>
- Re: Data Classification: Legal criteria Chris Gauthier (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Doug Markiewicz (Mar 18)
- Re: Data Classification: Legal criteria Bill Badertscher (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Sherry, Cathy (Mar 18)
- Re: Data Classification: Legal criteria Brad Judy (Mar 18)
- Re: Data Classification: Legal criteria Gary Dobbins (Mar 18)
- Re: Data Classification: Legal criteria Ozzie Paez (Mar 18)
- Re: Data Classification: Legal criteria Valdis Kletnieks (Mar 18)
- Re: Data Classification: Legal criteria Ced Bennett (Mar 19)