Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a Data Risk Classification Program

Published byThomasina Stevens Modified over 5 years ago

Similar presentations

Presentation on theme: "Developing a Data Risk Classification Program"— Presentation transcript:

1 Developing a Data Risk Classification Program
Presenters: Ben Hartung, Information Security Officer (Fredonia) Symen Mulders, Information Security Analyst (Plattsburgh) (Ben & Symen) Welcome everyone to the Developing a Data Risk Classification Program My name is Ben Hartung, Information Security Officer for Fredonia and Symen Mulders, Information Security Analyst at Plattsburgh.

2 Background SUNY-wide taskforce comprised of eight campus members of the SUNY Information Security Working Group (ISWG) charged with developing a template for a Data Risk Classification Policy. Contributors: Jeff Murphy (Buffalo) Alan Tosi (RF) David Loewy (Downstate) Walter Kerner (FitNYC) David Fish (Brockport) Ursula Wilkinson (Oswego) Ben Hartung (Fredonia) Symen Mulders (Plattsburgh) (Ben) SUNY campuses are all struggling with the sames security and compliance issues Foundational for all security programs to know what kind of data is in scope and what controls are applicable

3 Goals Current, comprehensive and easy to understand
Maps directly to the NYS & Federal regulations Applicable to Higher Ed (specifically SUNY) Correlates to Information Security Data Access Policy and other related policies Aligns with Enterprise Risk Management (e.g. Data Risk Classification Program) Simplicity of implementation (e.g. DLP) Leadership Buy-In (Ben)

4 Development Process Reviewed Federal and NYS compliance requirements
Reviewed draft policies from other SUNY(s) Reviewed policies from leading Universities (e.g. Harvard, Stanford, & others) Michael Duff, Stanford CISO, provided consultation and guidance Provided DRAFT policy to ISWG, SUNY CCIO, and local campuses for feedback Reviewed by SUNY Counsel Reviewed by SUNY Enterprise Risk Management group Ben Process took about 4-6 months Fredonia also reviewed the draft policy and related templates with the Information Technology Advisory Board (ITAB) and campus-wide 30-day review process for employee feedback

5 What is Data Risk Classification?
Data risk classification is broadly defined as the process of organizing data by relevant categories so that it may be used and protected more efficiently. The classification process not only makes data easier to locate and retrieve – data classification is of particular importance when it comes to risk management, compliance, and data security. Scope = University owned data in motion (transit) and at rest (stored). Source: Symen

6 This can be a bit complicated at first...
Symen Every campus has a *lot* of different kinds of data, so classifying it can seem like a really big project...

7 Why do we care? Security ….protect against data breach
Cost of Data Breach In 2016, 73% of breaches were financially motivated, per the 2017 Verizon Data Breach Report. Do we understand the financial value of our data so we can apply appropriate security controls? The way we do that is with a data classification. Reference: 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute (Symen) A breach could really hurt, financially. Classifying our data allows us to focus our security efforts where they will be most effective...

8 Why do we care?.....con’t Compliance Requirements: (Symen)
SUNY Procedures 6608: Information Security Guidelines: Campus Programs & Preserving Confidentiality New York State Information Technology Standard No: NYS-S Information Classification National Institute of Standards and Technology (NIST) Special Publication : Security and Privacy Controls for Federal Information Systems and Organizations National Institute of Standards and Technology (NIST) Special Publication : Protecting Controlled Unclassified Information in Non Federal Information Systems and Organizations Federal Information Processing Standard Publication 199: Standards for Security Categorization of Federal Information and Information Systems New York State Freedom of Information Law (FOIL) New York State Security and Breach Notification Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Federal Policy for the Protection of Human Subjects (‘Common Rule’) New York State Information Security Policy Gramm-Leach-Bliley Act Payment Card Industry Data Security Standards (Symen)

9 Why do we care?..... in 16 Words Restricted = Data that will make a breach expensive. Public = Data subject to FOIL. Private = Everything else. (Symen) ...So, we made it as simple as we could.

10 Adapting the Data Classification for Your Campus
Symen You likely have data on your campus that doesn’t fit any of the categories we have already identified, but still needs to be classified. The important thing to remember is to follow the 16 words. Restricted = expensive breach, public = data available to the public or by FOIL, everything else is private.

11 Draft Data Risk Classification Policy & Program Templates
Data Risk Classification General Overview Data Risk Classification & Approved Electronic Services Ben & Symen Program Development Policy Communication Plan Approved Electronic Services List (Inventory) & Process Awareness Training Related to other relevant policies… e.g. Data Security and Access Policy, Mobile Device Policy What’s Next??...Data Loss Prevention Tools

12 Questions ??????? Symen & Ben

Download ppt "Developing a Data Risk Classification Program"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
DATA PROTECTION IN THE AGO Christina Beusch Deputy Attorney General WA State Attorney General’s Office.

DATA PROTECTION IN THE AGO Christina Beusch Deputy Attorney General WA State Attorney General’s Office.
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.

1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Similar presentations

Ads by Google