Interesting Discussions on Data Classification
If you are involved with information security at a college or university and have not already, I strongly recommend that you head over to the EDUCAUSE site and sign up for the Security Discussion Group. This discussion group is an excellent source of information and provides an easy way to interact with fellow colleagues from other academic institutions.
A recent discussion on the Security list involves data classifications. There are several different approaches being used are here are a few of them. Northwestern follows a three-container system containing Public, Internal, Legally/Contractually Restricted classifications. The University of Massachusetts recently collapsed a five-container system into a three-container system containing Unclassified, Operational Use Only and Confidential. The University of Massachusetts also takes the stance that all PII falls within the Confidential container.
Gary Dobbins over at Notre Dame warns about the dangers of a “catch-all” middle-of-the-road classification. Instead, he moved Notre Dame from a three-container system to a four-container system containing a “Super-Top-Secret” class, an “Internal” class, a “Sensitive” class and a “Public” class. Gary further warns about staying away from “regulated” class due to differences in regulatory requirements.
Dr. Kees Leune is taking a different approach. Instead of relying upon a classification determined by content, he argues that there is a need to define discrete “chunks” of information and then address the needs of these chunks based upon the data owners needs and uses of the information. Each chunk is then given a rating based upon its required level of Confidentiality, Integrity and Availability.
Out of all of these approaches, my personal preference is closer to that of Gary Dobbins except that I still tend to lean toward a three-container system. I agree with everyone that overly complex classification systems are doomed to failure and a simple, pragmatic approach is best. I also like the approach of Dr. Leune in that there is a need to not only define these classification levels, but to also go out and talk with the data owners about the exact protections their data requires.
There are many more great discussion over on the Security Discussion Group, so head on over and register to become part of the solution.
Leave a comment