Information can be defined as data endowed with meaning and purpose. Information is a significant institutional asset; thereby it is imperative to develop a comprehensive approach to protecting and governing data. This document addresses the task of enabling availability and accessibility of institutional data for academic, research, functional and administrative needs, while effectively protecting its confidentiality and integrity. Since it is not possible to protect against every possible threat, the main emphasis needs to be placed on protecting mission critical data elements. If mission critical information is protected, the impact of security incidents is significantly reduced. Effective classification of data is a vital step in applying suitable controls for enhancing its confidentiality, integrity and availability.
Ultimately, it will be the responsibility of the Data Governance groups, data and business process owners to identify data management roles, legal requirements, and ensure accountability for both appropriate access and protection of institutional data.
Data Protection strategies:
Classification strategy: This strategy entails classifying data elements into three categories (Highly Confidential, Confidential, and Public) to undertake appropriate protection measures. This strategy will be more relevant to the data and business process owners who would have responsibility for classifying data as well as individuals (data users) who use or access data on a regular basis.
System Security Categorization and Control strategy: This strategy entails mapping appropriate controls for information type based on the level of risk to the confidentiality, integrity, or availability of information. The strategy will be more relevant to the technical and executive audience (Data owners, stewards and custodians) who are directly responsible for securing the data. This strategy applies primarily to information systems rather than data elements.
The control strategy as defined above may incorporate some elements of the classification strategy in order to fine-tune the controls for the information types.