OIT Tech 32px
security_4

Listing of Official Data Classification

Definitions

Source: The authoritative location for a particular set of data.  I.e. The Student Academic information source is PeopleSoft.

Raw: Data in an unprocessed format.  I.e. no statistical aggregation or de-identification has been performed on it.

Aggregated: Data that has been statistically summarized in a fashion which obscures any individually identifying characteristics.

De-Identified: Data that, while not aggregated, is not able to be associated with an individual.  I.e. research data where the subject’s name/identifying information has been replaced with a number unique to the research project.

 

Example

Example - Raw Source Collection of Academic Records on All Students at Ohio University

Steward

Confidentiality

Integrity

Availability

bentond

High

High

High

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection contains significant amounts of sensitive information, and has the potential to cause significant harm to the institution should it be disclosed or modified in an unauthorized manner, this data should be restricted in its use, and classified as high. 

             Because it is the scope of the entire university, the steward should be at a university level, with the University Registrar as the person tasked. 

             This would result in the requirement for an annual review and approval process for access to this data set.






Example - Raw Collection of Academic Records on All Students at Ohio University

Steward

Confidentiality

Integrity

Availability

bentond

High

Medium

High

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection contains significant amounts of sensitive information, and has the potential to cause significant harm to the institution should it be disclosed or modified in an unauthorized manner, this data should be restricted in its use, and classified as high for confidentiality.

             Depending on the use of the data, the integrity may also be classified as high.

             Because it is the scope of the entire university, the steward should be at a university level, with the University Registrar as the person tasked.

             This would result in the requirement for an annual review and approval process for access to this data set.






Example - Aggregated Collection of Academic Records on All Students at Ohio University

Steward

Confidentiality

Integrity

Availability

schallej

Medium

Medium

Medium

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection has aggregated to the point that it is de-identified from the individual, and only has the potential to cause moderate harm to the institution should it be disclosed or modified in an unauthorized manner, this data should NOT be restricted in its use for the university, and classified as moderate. 

             Because it is the scope of the entire university, the steward should be at a university level, with the Director of Institutional Research as the person tasked. 

             By policy, this would result in a notification requirement to the Director of Institutional Research, ISO and department head/supervisor in how the data is being used, but not approval.






Example - Source Aggregated Collection of Academic Records on All Students at Ohio University

Steward

Confidentiality

Integrity

Availability

schallej

Medium

High

Medium

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection has aggregated to the point that it is de-identified from the individual, and only has the potential to cause moderate harm to the institution should it be disclosed in an unauthorized manner, this data should NOT be restricted in its use for the university, and classified as moderate. 

             However, it is paramount that this data not be altered without data steward approval, since it is the official report out to external agencies for Ohio University, and this is reflected through the “High” rating for Integrity.

             Because it is the scope of the entire university, the steward should be at a university level, with the Director of Institutional Research as the person tasked. 

             By policy, this would result in a notification requirement to the Director of Institutional Research, ISO and department head/supervisor in how the data is being used, but not approval.






Example - Raw Collection of Academic Records on Students at the Russ College of Engineering

Steward

Confidentiality

Integrity

Availability

irwind

High

High

Medium

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection contains significant amounts of sensitive information, and has the potential to cause significant harm to the institution should it be disclosed or modified in an unauthorized manner, this data should be restricted in its use, and classified as high.

             Because it is the scope of the Russ College of Engineering, the steward should be at a college level, with Dean Irwin as the person tasked.

             This would result in the requirement for an annual review and approval process for access to this data set.






Example - Aggregated Collection of Academic Records on Students at the Russ College of Engineering

Steward

Confidentiality

Integrity

Availability

irwind

Medium

Medium

Medium

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection has aggregated to the point that it is de-identified from the individual, and only has the potential to cause moderate harm to the institution should it be disclosed or modified in an unauthorized manner, this data should NOT be restricted in its use for the university, and classified as moderate.

             Because it is the scope of the Russ College of Engineering, the steward should be at a college level, with Dean Irwin as the person tasked.

             By policy, this would result in a notification requirement to the Dean, ISO and department head/supervisor in how the data is being used, but not approval.






Example - Credit Card Data for University Merchants

Steward

Confidentiality

Integrity

Availability

downs

High

High

Medium

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection contains significant amounts of sensitive information, and has the potential to cause significant harm to the institution should it be disclosed or modified in an unauthorized manner, this data should be restricted in its use, and classified as high.

             Because of PCI-DSS compliance issues, and significant financial penalties to the University should compliance not be met, regardless of local scope, this is to be approved at a University level.

             By policy, this would result in the requirement for an annual review and approval process for handling of this data set.






Example - De-Identified Credit Card Data for University Merchants (Bobcat Essentials)

Steward

Confidentiality

Integrity

Availability

scottg

Medium

Medium

Medium

IAPAG Review

Deans Review

Approval

 

 

 

             Since this collection has been de-identified through tokenization, or another technology, it has the potential to cause moderate harm to the institution should it be disclosed in an unauthorized manner, this data should be classified as moderate.

             Because it is the scope of the Bobcat Essentials Store, the steward should be at a store or Culinary Services level, with Gwyn Scott as the person tasked.

             By policy, this would result in a notification requirement to the steward, ISO and department head/supervisor in how the data is being used, but not approval.






Proposed

Proposed - Credit Card Data for University Merchants

Steward

Confidentiality

Integrity

Availability

downs

High

High

Medium

IAPAG Review

Deans Review

Approval

41481

 

 

             Since this collection contains significant amounts of sensitive information, and has the potential to cause significant harm to the institution should it be disclosed or modified in an unauthorized manner, this data should be restricted in its use, and classified as high.

             Because of PCI-DSS compliance issues, and significant financial penalties to the University should compliance not be met, regardless of local scope, this is to be approved at a University level.

             By policy, this would result in the requirement for an annual review and approval process for handling of this data set.






Proposed - System Configuration and Executable Files for systems processing other data elements classified as "High"

Steward

Confidentiality

Integrity

Availability

resler

High

High

High

IAPAG Review

Deans Review

Approval

 

 

 

In order to effectively protect information that has been classified as "High", the systems, databases and applications that they run on must be robust systems.  Therefore, the software that they run on must be considered to need a high degree of integrity.  In addition, the configuration files may reveal some of the protections, and must also be considered to be high confidentiality.

The Security Objectives will follow the maximum of the data sets that the system contains.







Official


There are no official listings at this time.