...
Sub-Step | Resource | Resource Type |
|---|---|---|
2.1 Understand the legal and regulatory landscape. An important consideration when safeguarding the privacy and security of data held by an institution (and outside parties on its behalf) is complying with applicable federal, state, and international laws and regulations related to the privacy and security of the data held by the institution, as well as any contractual protection obligations that may exist. Specific security controls are often legally prescribed for various data types, and these must be taken into consideration when developing a protection plan. | Info: Policing the Internet: Higher Education Law and Policy | Higher Education |
| Higher Education | |
| Info: Gramm-Leach-Bliley | Higher Education |
| Info: HIPAA | Higher Education |
| Info: FERPA | Higher Education |
| Info: FACTA Red Flag Rule | Government |
| Government | |
| Industry | |
| Info: Payment Card Industry (PCI) Security Standards Council | Industry |
2.2 Develop a classification system. A data classification schema must be developed with input from legal counsel and data stewards as defined in section 3.1. Consistency and reliability of controls and clarity of responsibility are achieved by developing a schema which can be applied to any data type, but which allows for individual exception. | Policy: Data Classification Policies | Higher Education |
| Higher Education | |
| Industry | |
2.3 Apply the schema. Using the schema, a classification is assigned to institutional data to the extent possible or necessary. Assignment involves review and subsequent documentation of data types and their information sensitivity classification. | Info: Iowa State University Data Classification and Retention System | Higher Education |
| Higher Education | |
| Info: FIPS 199 | Government |
| Industry |
...