There are a variety of categories and classifications of not only data, but also the criticality of resources, such as servers. A server that contains only publicly available research data, but that is critical for teaching or supporting other research might be considered critical for "Availability" and "Research", two classifications that can be assigned in the ISORA application.
The ten classifications of a machine contained within ISORA are listed below:
Classification | Description |
---|---|
1 - Confidentiality | Need to strictly limit read access to data. |
2 - Integrity | Data must be accurate, users must be able to trust its accuracy. |
3 - Availability | Data must be accessible to authorized persons, entities, or devices. |
H - Health | Confidential information on the health of individuals. |
N - Financial | Confidential information on finances |
F - FERPA | Family Educational Rights and Privacy Act. Applies to privacy of student records. |
S - SSN | Social security numbers and the names with which they are associated. |
R - Research | Research data, software or systems. |
U - Critical UT | Critical to the operations or interests of the University. |
D - Critical Department | Critical to the operations or interests of the Department. |
There is a strong state mandated policy to protect highly sensitive data, that which is called Category I. Any of the above criteria could cause the system on which it resides to be classified as a Cat I system.
A host is considered to be a Category I device if:
University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bailey; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Business Procedure Memoranda; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included (see some basic examples of Cat I data or an extended list of Category I data classification examples)
University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) The release of such data is still considered sensitive and the data must be appropriately protected to ensure a controlled and lawful release. Cat-II could also be data that could have greater impact in aggregate. (A floor plan may not be sensitive data, but the plans for the whole campus might be since a terrorist could use it to plan an attack.) Cat-II is data for which the release of the data might result in:
University data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability. Examples include:
Here are some useful TSC resources that are located on other sites:
ISO's Net.Contacts page: ISO's more in depth description of Net.Contacts and its fields.
TSC Tools: From here you can navigate to Net.Contacts, as well as the many other tools made available to TSCs to help them better analyze manage their networks and systems.
ISO's ISORA page: Here you'll find more in depth information published by the Information Security Office.
The ISORA application: The actual ISORA Web application. When you push out ISORA, Net.Contacts will populate the application with your systems.
Information Security Office (ISO) Official Site: ISO's main Web site for the posting of policies, guidelines and risk management.
Information Security Office (ISO) Wiki: ISO's best practices, checklists procedures and more all in one handy location that is regularly updated.