Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Data Classification Guidelines

advertisement 
Data Classification Guidelines
INTRODUCTION
Information and Educational Technology developed these guidelines to help campus units categorize
their information and information systems, according to the sensitivity of data they contain.
Categorization will help departments allocate their resources, prioritize the selection and placement of
security controls, and ensure that sensitive systems meet baseline security standards.
WHEN SHOULD CLASSIFICATION OCCUR?
According to NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to
Security Categories), classification should occur early in the planning and design of new systems and be
revisited at least every three years. If performed early in the development process, classification can
help administrators and developers identify and implement security requirements. Periodic reviews will
ensure that the classification remains accurate, and that the system meets baseline security standards.
WHO HAS ULTIMATE RESPONSIBILITY?
UC Business and Finance Bulletin IS-2 (Inventory, Classification, and Release of University Electronic
Information) defines two critical roles when it comes to the classification, collection, and safeguarding of
sensitive data:


The Resource Proprietor is the individual with ultimate responsibility over collecting, managing,
and sharing the data. Typically, Resource Proprietors will include individuals designated as data
owner or data steward.
The Resource Custodian has physical or logical control over the data, performs maintenance
activities, or provides other services to the resource proprietor. Typically, Resource Custodians
will include system administrators, database administrators, and data managers.
Resource proprietors, in consultation with resource custodians, should ensure that systems are correctly
categorized and compliant with all federal and state regulations, and with all University policies.
OTHER CONSIDERATIONS
While data classification should play a critical role in determining the security requirements for a given
system, other factors should also be considered. Systems that perform or support critical business
functions, or that require high availability, might warrant stricter standards and requirements. For all
systems, consider the potential impact to University assets, operations, and reputation if a loss of
confidentiality, availability, or integrity were to occur.
CLASSIFICATION LEVELS
This section outlines three classification levels (high, medium, low). Resource proprietors should ensure
that the selection of security controls is appropriate for the sensitivity of the data they’re protecting.
Systems that process private or restricted data are inherently more costly to secure and maintain.
Whenever possible, avoid the unnecessary use or collection of such data.
Restricted (High Sensitivity)
Systems handling restricted data should have the strictest security requirements. This classification level
is reserved for information that would, if inadvertently released, have a significant adverse impact to the
University. This includes information protected by state or federal regulations (HIPAA, FERPA, California
Civil Code, etc.), University of California policy, or contracts. This also includes credential or session
information that can be used to access sensitive data. More specific examples can be found below.
Examples of Restricted Data
 Electronic Protected Health Information (ePHI).
 Credit/debit card information and bank account information.
 Student records that are not part of the campus directory (this includes student IDs).
 Electronic signatures, biometric information, password information, and private encryption keys
(depending on use).
 Data covered by non-disclosure agreements, service level agreements, grants, etc.
 Criminal background checks.
 Personally identifying information that, by law, warrants notification if wrongfully disclosed.
According to California Civil Code Section 1798.29, this would include:
… an individual’s first name or first initial and last name in combination with any one or
more of the following data elements, when either the name or the data elements are not
encrypted:
o Social Security number.
o Driver’s license number or California Identification Card number.
o Account number, credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual’s
financial account.
o Medical information.
o Health insurance information.
Private (Medium Sensitivity)
Private data should be considered the default classification level for non-restricted data that has not
been explicitly made public.
Examples of Private Data
 Non-public administrative or operational data (e.g. employee evaluations, asset listings and




locations, etc.).
Non-restricted research data.
Information used to validate identity (name plus date of birth, mother’s maiden name, etc.).
E-mail contents.
Employee information not listed as restricted (home address, telephone number, income tax
withholdings, personal email address, race, ethnicity, marital status).
Public (Low Sensitivity)
The lowest data classification level includes data openly available to the public. This might include lowsensitivity data which, when openly distributed, presents no risk to the University. This might also
include official University communications and public announcements.
Systems distributing low sensitivity data can still pose significant risk to the University. High-visibility
public websites sharing only low sensitivity data can be targets for individuals seeking to embarrass the
University and damage its reputation. Data classification should be used only as a baseline when
defining the classification level for an information system. Depending on the other factors listed above,
assessing a system according to a higher classification level might be prudent.
Examples of public data
 Public directory information.
 Staff and faculty employment information (position, employment start/end dates, salary, office
location, office phone number).
 Research publication information.
 Course catalog information.
 Employee ID.
 Intercollegiate sports information (team rosters, statistics, scores, schedules).
For More Information


IS-2 Inventory Classification and Release of University Electronic Information
NIST SP 800-60: Guide for Mapping Types of Information and Information Systems to Security
Categories
Related documents
sensitivity example 2
sensitivity example 2
For example: one could measure pressure by taking a spring scale
For example: one could measure pressure by taking a spring scale
What is cultural sensitivity and cultural awareness?
What is cultural sensitivity and cultural awareness?
Sample Affirmative Case #2 - Eastside Speech and Debate
Sample Affirmative Case #2 - Eastside Speech and Debate
Cultural Sensitivity in Business
Cultural Sensitivity in Business
Conflict Sensitivity and Why it Matters to CARE International171012
Conflict Sensitivity and Why it Matters to CARE International171012
Understanding meta
Understanding meta
Symptoms
Symptoms
DOC
DOC
Sensitivity Analysis
Sensitivity Analysis
Mod. #3 - Educational Strategies & Supports POC
Mod. #3 - Educational Strategies & Supports POC
How to Compute Sensitivity Ranges: A Solution
How to Compute Sensitivity Ranges: A Solution
Sensitivity analysis Many parameters we used in our model are
Sensitivity analysis Many parameters we used in our model are
Prezentacja programu PowerPoint
Prezentacja programu PowerPoint
XIX. NEUROPHYSIOLOGY Academic and Research Staff
XIX. NEUROPHYSIOLOGY Academic and Research Staff
Brochure - Designs for Vision
Brochure - Designs for Vision
Sensitivity Analysis of Biochemical Systems: Metabolic Control
Sensitivity Analysis of Biochemical Systems: Metabolic Control
choi_MechanicalDesigninStructures
choi_MechanicalDesigninStructures
www.Jameco.com 1-800-831-4242 Jameco Part Number 136574
www.Jameco.com 1-800-831-4242 Jameco Part Number 136574
Chapter 8 Multiple Choice
Chapter 8 Multiple Choice
Presentation
Presentation
Bhalla pointed out that the media attention is more
Bhalla pointed out that the media attention is more
Download
advertisement