In a previous post about IT priorities in higher education, we mentioned that information security is the biggest concern for the second consecutive year, according to the annual Top IT Issues report from Educause. That’s because higher education has become a prime target for cybercrime. In fact, a report from Trend Micro found that education was second to healthcare and ahead of government, retail and finance among the most-breached industries. Not only do school networks house the personally identifiable information of students, staff and alumni, but they store valuable research and intellectual property and can often provide access to other organizations.
At the same time, colleges and universities are subject to increasingly stringent and complex regulatory compliance requirements. Schools are expected to provide access to services such as banking, healthcare and IT, and process credit card payments. As a result, they must comply with regulations related to these industries, in addition to regulations that are specific to higher education.
Colleges and universities can use data classification to reduce the risk of breaches and compliance violations. Data classification is the organization of data into categories to make that data easier to prioritize, locate, access, use and manage. A documented policy for data classification explains each category, the criteria for classifying data in each category, who is responsible for managing each category (data stewardship), how data in each category must be stored and protected, the risk and consequences of a breach for each category, and what regulatory requirements, if any, apply to each category.
Data classification allows schools to manage and control access to data more efficiently and transparently. This is very important, for example, during the admissions process, when data is constantly being sent back and forth between students, admissions teams, faculty, advisers and other personnel. Data classification also makes it easier to generate reports and respond to an audit.
There are five general steps for creating a data classification policy for higher education.
1) Determine why data classification is needed and what federal, state and/or industry requirements, laws, regulations, etc. must be addressed. Because data stewardship is typically decentralized in higher education, more direction is required than in an organization in which data is centrally collected and managed.
2) Determine the roles of all involved in data classification. This is not just an IT function. There will be many data stewards, and many people who will make decisions about data identity, usage, security and ownership.
3) Determine data classification levels. “Restricted,” “sensitive,” “official use only,” “public,” “private” and “institutional” are commonly used classification levels in higher education. Some regulatory bodies and states may have defined levels that schools should use.
4) Determine the process for classifying data. What procedures will be followed and tools used to classify data? The first step is to establish an initial project team that creates procedures for a handful of data categories. This team will then train others who will be responsible for managing data.
5) Determine how data classification will impact other security functions. How will your data classification policy affect access controls, physical security, risk and change management, the need for encryption, and security training?
Protecting data and meeting compliance standards aren’t just about deploying and properly configuring the best security tools or hiring an all-star security team. Data classification can help you determine which data needs the most protection so you can plan your security and compliance strategy.