Minimum Control Sets for Data Classifications

[Martin Manjak <mmanjak () ALBANY EDU>]

Those of you who have implemented a data or asset classification schema,
do you also have minimum control sets (admin, physical, technical) that
are tied to each category of data?

For example, if the data handled is categorized as "highly sensitive,"
"confidential," or whatever label you've assigned to the data that
presents the highest institutional risk, is there a minimum set of
controls that have to be in place in the offices or business/academic
units that routinely use this type of information?

And if the answer is yes, would mind replying with a reference to those
controls?

Marty
-- 

Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password.
Please ignore all such requests.