Classification of IT Resources for ISORA

 

Categorization and Classification of IT Resources

There are a variety of categories and classifications of not only data, but also the criticality of resources, such as servers. A server that contains only publicly available research data, but that is critical for teaching or supporting other research might be considered critical for "Availability" and "Research", two classifications that can be assigned in the ISORA application.

System and Data Classifications

The ten classifications of a machine contained within ISORA are listed below:

Classification
Description
1 - ConfidentialityNeed to strictly limit read access to data.
2 - IntegrityData must be accurate, users must be able to trust its accuracy.
3 - AvailabilityData must be accessible to authorized persons, entities, or devices.

H - Health

Confidential information on the health of individuals.

N - Financial

Confidential information on finances

F - FERPA

Family Educational Rights and Privacy Act. Applies to privacy of student records.
S - SSNSocial security numbers and the names with which they are associated.
R - ResearchResearch data, software or systems.
U - Critical UTCritical to the operations or interests of the University.
D - Critical DepartmentCritical to the operations or interests of the Department.

System Data Categorization

There is a strong state mandated policy to protect highly sensitive data, that which is called Category I. Any of the above criteria could cause the system on which it resides to be classified as a Cat I system.

A host is considered to be a Category I device if:

  • There is a high need for confidentiality, integrity, availability (CIA) of the data processed with the host
  • The host is used to store, process, or otherwise manipulate Category I data
  • The host is considered to be critical for University or Department operations

So, what are the data categories?

Category-I Data

University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bailey; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Business Procedure Memoranda; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.)  are also included (see some basic examples of Cat I data or an extended list of Category I data classification examples)

Category-II Data

University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) The release of such data is still considered sensitive and the data must be appropriately protected to ensure a controlled and lawful release. Cat-II could also be data that could have greater impact in aggregate. (A floor plan may not be sensitive data, but the plans for the whole campus might be since a terrorist could use it to plan an attack.) Cat-II is data for which the release of the data might result in:

  • Short-term loss of reputation.
  • Short-term loss of research funding.
  • Short-term loss of critical departmental service.
  • Unauthorized tampering of research data.
  • Individuals put at risk for identity theft.

Category-III Data

University data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability. Examples include:

  • Professor's personal blog
  • Student's personal laptop with their own work not covered by copyright or otherwise protected

Acknowledgement: Much of this information was pulled from pages located on The College of Education Information Technology and The Center for Computational Biology and Bioinformatics pages on data categorization.

 

 CNS TSC Resources

Here are some useful TSC resources that are located on other sites:

ISO's Net.Contacts page: ISO's more in depth description of Net.Contacts and its fields.

TSC Tools: From here you can navigate to Net.Contacts, as well as the many other tools made available to TSCs to help them better analyze manage their networks and systems.

ISO's ISORA page: Here you'll find more in depth information published by the Information Security Office.

The ISORA application: The actual ISORA Web application. When you push out ISORA, Net.Contacts will populate the application with your systems.

Information Security Office (ISO) Official Site: ISO's main Web site for the posting of policies, guidelines and risk management.

Information Security Office (ISO) Wiki: ISO's best practices, checklists procedures and more all in one handy location that is regularly updated.