...
Sub-Step | Tips | Resource | Resource Type |
---|---|---|---|
3.1 Typically a number of "data classification levels" are identified by the institution. | Keep it as simple as possible - don't create any more levels than you have to. Each level should be differentiated from the other by the different actions required to appropriately handle the data. | Data Classification, Security, and Compliance: Helping Users Help Themselves (University of Michigan) | Higher Education |
a. The levels are given appropriate names and definitions, and then each data element is classified into the proper level. Universities differ on how many levels are defined, although the most common number is three, four, or five. | Use names that are very clear to users, for example, "restricted" and "sensitive" are very similar terms and would cause confusion if used for a medium and high level, respectively. Keep the highest level very high, because this level will cost a lot to secure. | Higher Education | |
|
| The Ohio State University Data Element Classification Assignments | Higher Education |
|
| Stanford Data Classification, Access, Transmittal, and Storage Guidelines and Chart | Higher Education |
|
| Higher Education | |
|
| EDUCAUSE's Model Security Policy, Section 3.0, Asset Classification | EDUCAUSE |
3.2 Check for state statutes that may already define some or all levels for you, and what words to use to describe the levels. State guidelines will most likely apply to state schools. |
| Government | |
3.3 Check for recognized standards that may already define some or all levels for you, and what words to use to describe the levels. |
| FIPS 199: Standards for Security Categorization of Federal Information and Information Systems | Government |
3.4 Consider using Confidentiality, Integrity, and Availability (CIA) as criteria to classify data. |
| Presentation: Data Classification and Privacy: A Foundation for Compliance | Higher Education |
...