Data Classification Standard & Data Management Procedures

1. Data Classification Standard & Data Management Procedures By: John L. Baines Leo Howell Jeff Webster

2. Introduction • Information is THE primary asset at the University • Security & custody are now both strong issues • Press & governance showing increased attention • The University reputation is at stake DCS & DMP

3. Increasingly Complicated Compliance Constraints DCS & DMP

4. Finance HR Web Portable data Athletics IPR Text A/V Dept level Download Not Just IT Anymore Electronic & Physical If it ever was! DCS & DMP

5. Two Draft Regulations - DCS & DMP • Joint effort – RMIS & ITD • Data Classification Standard (new) • Sensitivity of data • Security and privacy • Consistency • Data Management Procedures (revised) • Responsibility and accountability • Authorization for access • Custody of information copies DCS & DMP

6. Based on Security from Data Classification Standard High Impact to business Significant financial loss Violates laws, agreements, or regulations. Moderate NOT Red but Adversely affects the University Normal NOT Yellow but Authorization required to modify or copy E.g., a server with only published materials may require merely Green zone protection E.g., a laptop with access to social security numbers operates in the Red zone Three Virtual Protection Zones Security follows data DCS & DMP

7. Current DMP – Data Management Procedures • University Regulation 8.00.3 • Original approved January 1990 • Served the University very well • Is detailed and specific to: • Centrally managed data • Enterprise information systems • New draft simplifies and extends to rest of University DCS & DMP

8. Logical Organization from DMP DCS & DMP

9. Data Steward Classifies Data • Establishes guidelines for his or her data • Sets appropriate privacy / security level • Avoids compliance findings • Delegates authority, responsibility, and accountability • DMP and DCS work hand in hand DCS & DMP

10. User Responsibilities • Store data under secure conditions • Make every reasonable effort to ensure the appropriate level of data privacy is maintained • Use the data only for the purpose for which access was granted • Not share IDs or passwords with other persons • Securely dispose of sensitive University data DCS & DMP

11. Possible Next Steps • Guidance and awareness (we will work to develop guides; for example, a checklist to help classify data) • Possible specific standards for protecting data based on classification level • Training program for new data stewards, data custodians, and security administrators • Security awareness program for users • Resources for Campus Groups • ITD security staff • RMIS Information Assurance & Security area DCS & DMP

12. For those found to have responsibility for the data: Compliance failures Data compromises Theft of information Lawsuits Fines Loss of reputation More stringent University-wide data control regulations that: Can not take into account special characteristics of individual data items Place unnecessary controls on all sensitive data in a more arbitrary way ‘Do Nothing’ Alternative DCS & DMP

13. Benefits • Establishes consistency in handling sensitive data • Clarifies authority, responsibility, and accountability for the security of data • Delegates appropriately • Simplifies audit and oversight • Helps avoid embarrassing data leaks • Guards against severe financial and legal penalties for compliance findings DCS & DMP