Educause Security Discussion mailing list archives

Re: Data Classification

From: Brad Judy <brad.judy () CU EDU>
Date: Tue, 3 Sep 2019 14:58:54 +0000
While we aren’t a small school, we have a data governance policy (https://www.cu.edu/sites/default/files/6010.pdf) 
which establishes roles and responsibilities for data governance across our institutions. It’s described a bit on this 
webpage - https://www.cu.edu/ois/tools-and-services/data-governance
The information security team created the initial three-tier data classification structure 
(https://www.cu.edu/ois/data-classifications-impact
) with discussion with stakeholders years ago. The data trustees/stewards in each area are then responsible for 
deciding the classification of their data within that guidance. While some things are fairly prescribed (like SSN and 
ePHI being highly confidential), there is a lot of room for people closer to the data (and related regulations) to 
determine the level of sensitivity.

In the case of broad regulations, information security works with legal counsel to provide guidance to the data 
trustees about the impact to data classifications or other data decisions.

Even at a small school, I like the idea of information security providing a structure that can be used by people closer 
to the data (within business/functional units) to classify their data.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" <jbole () STEVENSON EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, September 3, 2019 at 8:39 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Data Classification

Some great examples of data classification policies.

I’m wondering about the governing body for data classification? Do institutions have a governing body separate from 
information security? Or does infosec wear both hats, especially at small institutions?

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith
Sent: Friday, August 30, 2019 3:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Data Classification

Hello,

Our Standard and Guide are on-line:
https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.ucop.edu%2Fpolicies%2Finstitutional-information-and-it-resource-classification.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453075915&sdata=eU1wEXNX4R1BrfDLZCTsCeB82UXShf42iBjKif%2BDMyI%3D&reserved=0>

Have a delightful day,
Robert Smith, CISSP, PMP
University of California Office of the President
(510) 587-6244 (o)
robert.smith () ucop edu<mailto:robert.smith () ucop edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ullman, Catherine
Sent: Friday, August 30, 2019 12:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Data Classification

Hi Marty,

Here is our data classification policy:

http://www.buffalo.edu/administrative-services/policy1/ub-policy-lib/data-risk-classification.html<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.buffalo.edu%2Fadministrative-services%2Fpolicy1%2Fub-policy-lib%2Fdata-risk-classification.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453085912&sdata=IO%2BcVCXD530uf4LfXpW01RvZiYrzPZzlfjcMjkCusi8%3D&reserved=0>

The chart found here: 
http://www.buffalo.edu/ubit/information-for-it-staff/information-security/minimum-security-standards.html<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.buffalo.edu%2Fubit%2Finformation-for-it-staff%2Finformation-security%2Fminimum-security-standards.html&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453095909&sdata=yqtjU%2B8UZx0Nh3nPLA4IuT5nwZSoRXYUkNpeAXCC16Q%3D&reserved=0>
  is meant to help clarify the risks for a variety of risks and provide some guidance on what needs to be done to 
secure the data.

I hope that helps.

Best,
Cathy


Dr. Catherine J Ullman
Senior Information Security Analyst
Information Security Office
University at Buffalo
cende () buffalo edu<mailto:cende () buffalo edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Marty Leidner
Sent: Friday, August 30, 2019 2:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Data Classification


Good Afternoon



We at Rockefeller University are considering how to move forward with the elusive goal/initiative of data 
classification, and would like to see how others are addressing this. I would greatly appreciate if you could respond 
to this brief survey. I will be happy to share the results with anyone who is interested:



 1. Do you have a data classification policy on your website or intranet?

 2. Do you use any tools to enable your user community to classify their data? If so, which ones? These could be 
enterprise tools, or even basic  tools that are built into other applications or platforms (e.g. Office365, Box, etc.) 
3. Do you enforce this policy, or in any way require data to be classified?



Thanks , and I wish everyone a wonderful labor day,

Marty

,

Thank You,

Marty Leidner,  CISSP
Chief Information Security Officer
The Rockefeller University
Information Security
212-327-7372
http://it.rockefeller.edu/information-security<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.rockefeller.edu%2Finformation-security&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453095909&sdata=%2BvN7G0dYcr0Rs6A9mIpdB4VkT2iMrGB8ymnDsh%2BhtGY%3D&reserved=0>
Protector of the cyber realm




**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453105902&sdata=oVUgNl9xI4Kh6rbk9fIgDBS%2FdGNm4u9%2B%2FG%2BX9Z1%2BOBI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453105902&sdata=oVUgNl9xI4Kh6rbk9fIgDBS%2FdGNm4u9%2B%2FG%2BX9Z1%2BOBI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C852a397069d645857a5708d72d81f1e3%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637027908453115898&sdata=sAIHfXu5gfNrCIqa668Hcz1hSF6gl9H2nM0Msoa7fcQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

Re: Data Classification, (continued)
- Re: Data Classification Ullman, Catherine (Aug 30)
  - Re: Data Classification Robert Smith (Aug 30)
    - Re: Data Classification Jim A. Bole (Sep 03)
    - Re: Data Classification Barton, Robert W. (Sep 03)
    - Re: Data Classification WALTER KERNER (Sep 03)
- Re: Data Classification Telfer, Will (Aug 30)
  - Re: Data Classification Ken Connelly (Aug 30)
- Re: [External] [SECURITY] Data Classification Gregg, Christopher S. (Sep 03)
- Re: Data Classification Williams, Matthew (wilmh) (Sep 03)
  - Re: Data Classification Darren Morris (Sep 03)
- Re: Data Classification Brad Judy (Sep 03)