Quick Start Guide for Data Classification
Properly classifying and protecting data is a repeated, four step process:
- Process - The following steps should be performed on the data set that you are assessing.
- Do you have any of the data assets or data elements identified in the official listing? If so, use the highest level for each security objective.
- Using Policy 93.001, how would you likely assess the classification of the data on your system? If any of the data should be protected at a higher level than the official listing, use that level for your next steps on each security objective.
- Make sure your department has a retention schedule as defined in 93.002 and that you follow it.
- For information that has been identified as sensitive, if it is outside your retention window for that record type, dispose of it in a secure manner.
- DBAN, for erasing entire hard drives.
- Paper data
- Shredder bins, secure document disposal bins.
- Process - If it's possible, it is generally a good idea to substitute more sensitive information with less sensitive, if your business process allows for it.
- Instead of using SSN as your identifier, use PID, which does not have any use for individuals beyond the University.
- If using data for statistical modeling or research, de-identify the information from the individuals to whom the data belongs to by removing personal information (name, address, phone number, SSN, Health Insurer Number, etc.). An important thing to consider when de-identifying is that sometimes the collection of data can uniquely identify an individual even if any one piece of information would not. Example: the person that is a male living on Smith Street in Anytown, drives a red pickup, and has 6 children may only reasonably describe one person in the world.
- Data cannot be disclosed to unauthorized individuals or systems.
- Data cannot be modified by unauthorized individuals or systems.
- Data must be available when needed.