Security Initiatives: Data Classification and Risk Assessment

Campus Links

About Information Security

General Information

Policies & Procedures

Security Awareness

Departments

FAQ

Site Map

View Sitemap

IITS
Coyner Building
201 High Street
Farmville, VA 23909

Voice: 434-395-2034
Fax: 434-395-2035
E-Mail: iits@longwood.edu

News & Alerts

IITS Policy Review Process is underway until December 11th!
click for more...

Report a Violation

Violation Reporting

The best way to report a problem is to send an e-mail to abuse@longwood.edu and include a complete description of the problem.

click for more...

Information Security

434-395-2034
Fax: 434-395-2035
infosec@longwood.edu

Quicklinks

Data Classification and Risk Assessment

In order for appropriate decisions to be made about how data should be protected, we must first understand what we are protecting. A formal, campus wide data classification initiative will allow us to classify all data according to its sensitivity. The classification will be followed by a risk assessment to understand how systems are used and must be protected.

Classify data according to its sensitivity.
Make the campus aware of the data classifications.
Conduct a risk assessment to determine appropriate security controls.

How will this change affect me?

Conducting the data classification and risk assessment
System owners, system administrators, data owners and data custodians will be involved in the data classification and risk assessment. (See the Roles and Responsibilities Initiative for information on these security roles.) Those conducting the data classification and risk assessment may seek the input of any user to understand how data or systems are used by the university. The university has conducted risk assessments of IT systems in the past and in general the same concept will be applied.

Results of the data classification
Data owners will classify all university data into 1 of 3 levels: public, internal or restricted. (See the introduction of the initiatives for an explanation of the classifications.) When completed, classifications will be communicated to users and users are encouraged to ask about a data type's classification if they are unsure.

For each classification level there will be certain requirements specified for handling such data. These requirements will be developed into an easy-to-read reference that will be available to all university IT system users. Commensurate with the sensitivity of the data, restricted data will be subject to the most rigorous data handling requirements.

Results of the risk assessment
The risk assessment will become documentation of the perceptions of risk associated with an IT system so that decisions can be made about how to protect the system appropriately. The outcomes of the risk assessment will be used to determine appropriate security for university IT systems.

Ongoing process
Going forward, the data classifications and risk assessments will be reviewed and updated as needed to support decision-making regarding IT systems.

When will this change happen?

This process has begun.

Spring 2009:

The data classification process began with the participation of over 80 employees in data classification workshops.

Summer 2009:

Data classifications have been compiled and a meeting of all data owners is being coordinated for September 2009.

Who can I contact with questions or concerns?

Contact information for the Information Security Office is listed to the right.

Last updated:

August 27, 2009