Version 1.0: October 2008
To compile resources pertaining to data classification in higher education. Although data classification is just one component of a comprehensive program to protect data, it is an important foundation. This Toolkit consolidates resources from the EDUCAUSE web site as well as from other sources, and organizes them into five basic steps.
Data are some of the most valuable assets any institution of higher education owns, and, as is in the case with all valuable assets, they need to be protected accordingly. What constitutes "accordingly" is mostly driven by legal, academic, financial and operational requirements and is based on the criticality and risk levels of the data. Protecting data assets while supporting academic, medical and research missions that require collaborative work and the open sharing of knowledge can be a difficult balancing act. One of the most important steps in protecting data appropriately is to determine classification levels for the data, and then to proceed with the actual classification of all of your valuable data assets.
The objective of the Data Classification Toolkit is to provide a body of information, resources, and guidance that can assist higher education officials in addressing the following questions regarding classifying data:
- Need: Why is it necessary or mandatory to classify data?
- Roles: Who should classify what data?
- Methods: How should data be classified?
- Are there any best (or common) practices available?
- Impact: What processes are dependent or impacted by data classification?
- Step1: Determine the need and/or requirements for data classification
- Step2: Determine the roles involved in data classification
- Step3: Determine your institution's classification levels
- Step4: Determine the methodology and procedures for classifying data
- Step5: Determine and review other information security processes impacted by data classification
| 1.1 There are laws, regulations, rules, or policies (federal, state and/or institutional) that require classification of data.
a. These might be Federal regulations, such as:
||HIPAA Security Standard - Final Rule||Government|
||HITECH Act Section 13405(c)||Government|
||HHS Title 45 CFR Part 46||Government|
|b. There are probably State laws with regard to personal information, such as SSN, which, if compromised, would lead to consumer notification; there may also be rules regarding performance of periodic risk assessments, and the protection of such data accordingly.|
||TAC 202 72||Government|
||Michigan Social Security Privacy Act||Government|
||State of Ohio IT Policy: Data Classification||Government|
||Massachusetts 201 CMR 17.00||Government|
|c. These might be Institutional policies.|
|1.2 In higher education institutions, where data stewardship is usually decentralized and where data is held by autonomous units, more guidance is needed than would be in an organization where data is completely centrally held and controlled.||
Policies and guidelines need to be very clearly worded for very different populations. For example: Faculty members and colleges may hold student grades. Researchers, who typically work with their own data and equipment, may need to meet information security requirements from granting agencies.
In addition, data classification applies to all data at the institution, including not only centrally collected and managed data, but also data collected and managed within schools and departments.
|1.3 Data classification assists in risk management.||Risk assessments help organizations and/or departments determine the levels of security needed to safeguard their data appropriately and the best way to allocate scarce budget and staff resources. Almost no organization can afford to apply the highest levels of security to all data. Although risk assessment can be performed without formal data classification, formally classifying data enables organizations to prioritize which systems receive the most security resources, and thus manage risk appropriately.|| Risk Management Framework, Phase 0: Strategic Risk Assessment Planning
|2.1 A number of terms are used to define the various roles and responsibilities.||It is common for people to assume that since IT manages the system, IT owns the data, but this is dangerous since IT is not responsible for the function that uses the data. However, it can be difficult to get the appropriate owners to take on the responsibility.|
|a. At the governance level, terms such as "Data Trustee," "Data Steward," or "Data Owner" are common.|| Start by asking these questions:
1) Who is the manager or agent responsible for the function that uses the resource?
2) Who is responsible for determining levels of protection for the data?
3) Who is responsible for making decisions about appropriate use of the data?
4) Who is responsible for classifying the data?
5) Who is responsible for business results of the system or the business use of the information?
Most universities declare that the data is owned by the unit responsible for creating the data itself, such as Registrar, HR, etc. But not all data has such a clear "creating" unit, since in many cases, individuals actually "create" the data themselves (e.g., online student systems where students enter much of their own data, online human resource systems where employees enter much of their own data, course management systems where professors and students create much of the data, and email systems where the user or sender creates the data.)
|EDUCAUSE Confidential Data Handling Blueprint: Step 3.1, Data Stewardship Roles and Responsibilities||EDUCAUSE|
|Presentation: Who Owns the Data Anyway? Defining Data Stewardship||EDUCAUSE|
|Mercyhurst College Policy 1.2.1: Data Stewardship and Custodianship||Higher Education|
|UTexas - Austin Glossary Entry for Data Owner|| Higher Education
|b. At the management level, terms such as "Data Manager" are common.||These are the persons who are responsible for implementing the controls the owner identifies. Many places now distinguish between the Dean/Director/AVP who is ultimately responsible for the data and the person who supervises the data entry personnel (and is thus quite a bit lower down the hierarchy).|
|c. At the operational level, terms such as "Data Custodian" or "Data User" are common.||Identify those who actually "touch" the data (enter, delete, even read).||The Ohio State University Institutional Data Procedures: Roles and Responsibilities For Data Trustees, Data Stewards, Data Custodians, and Data Users||Higher Education}|
|3.1 Typically a number of "data classification levels" are identified by the institution.|| Keep it as simple as possible - don't create any more levels than you have to. Each level should be differentiated from the other by the different actions required to appropriately handle the data.
|a. The levels are given appropriate names and definitions, and then each data element is classified into the proper level.||Use names that are very clear to users, for example, "restricted" and "sensitive" are very similar terms and would cause confusion if used for a medium and high level, respectively.||State of Ohio: Data Classification - A White Paper||Higher Ed|
| b. Universities differ on how many levels are defined, although the most common number is three, four, or five.
Keep the highest level very high, because this level will cost a lot to secure.
Examples (from lowest to highest level):
1) Public, Restricted, and Private
2) Public, Sensitive, and Confidential
3) Category III, Category II, and Category I
4) Public, Official Use Only, and Confidential
(Note that the word "public" used in data classification is defined differently than the word "public" used in the phrase "public records request" as used in state open records acts. )
|The Ohio State University Institutional Data Procedures: Classification and Access Control||Higher Education|
|Stanford Data Classification Guidelines and Classification of Data||Higher Education|
|EDUCAUSE's Model Security Policy, Section 3.0, Asset Classification||EDUCAUSE|
|3.2 Check for state statutes that may already define some or all levels for you, and what words to use to describe the levels.|
|3.3 Check for recognized standards that may already define some or all levels for you, and what words to use to describe the levels.||FIPS 199||Government|
|3.4 Consider using Confidentiality, Integrity, and Availability (CIA) as criteria to classify data.||Presentation: Data Classification and Privacy: A Foundation for Compliance||Higher Education|
|4.1 How will you get started on your classification activities?||This appears to be a huge project, if you consider all the data elements collected and used by a higher education institution. Institutions have used a number of techniques to make the task more manageable.|
|a. Establish a project team and start with a select few data areas.||Many institutions start with centrally-held administrative data. Those who are responsible for establishing and maintaining appropriate data classification levels for centrally-held data are trained in how to do so; experience is gained with that project; and then this team provides training and guidance subsequently to each data owner to use for all other types of data elements, both centrally managed and managed within decentralized units. Note: Special projects can be planned to address research data, institutional data NOT in central control, and personal data held by staff such as contact data.||Risk Management Framework, Phase 0: Strategic Risk Assessment Planning||EDUCAUSE|
|b. Assign a default classification||Data Classification Policy could state that all data is classified at a particular level as the default. Then, only data that falls outside of this default level needs to be formally classified.|
|c. Provide basic policy and procedure documents and tools, and ask each data owner to work independently.|
Once you are done creating your classification scheme, what comes next? Data classification is usually one of the first steps in a long progression of activities to safeguard your data. The list below provides a checklist of other information security processes that may be impacted by data classification activities, but it does not attempt to provide full information on each of these other processes.
|5.1 Access Management||Determining who can access the data, and what they can do with it.||Access Control Systems and Methodology||EDUCAUSE|
|5.2 Physical Security|| Physical and Environmental Security
|5.3 Risk Assessment||Risk Management||EDUCAUSE|
|5.4 Change Management Requirements|
|5.5 Training||Awareness and Training||EDUCAUSE|
|5.6 Need for Policy and Procedures|
|5.7 Need for Encryption||Determining how data is appropriately secured both while at rest (in storage) and in transmission.||Encryption||EDUCAUSE|
|5.8 Records Retention||Determining how long each type of data should be stored.|
|5.9 Data Incident Handling and Response|| Determining what happens if/when data is lost, stolen, or compromised.
|| Confidential Data Handling Blueprint
Data Incident Notification Toolkit
Information Security Incident Management
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.