Week 3: Data Classification
Week 3: Data Classification
Do you know how important your data is?
Have you thought about where it is stored?
What would you do if your data was lost or erased?
What could happen if someone else had access to it?
The internet age is a messy place. We have data and files all over the place: on our desktops, laptops, tablets, cell phones, thumb drives, external hard drives, and in the cloud.
The UIC IT Security Program classifies data into four types: High-Risk, Sensitive, Internal and Public. As a quick guide, you can think of data classification like this: High Risk data is data that we don’t want released or modified when it shouldn’t be. Sensitive data is similar to High Risk data; it’s data that we don’t want released without proper permission, but it might not have the same reporting or protection requirements by law. Internal data is data that doesn’t necessarily have any legal requirements for protection, but is not intended for public consumption, e.g. daily workflows and emails of employees. Finally, Public data is data that is okay for anyone to see.
Why should I care about data classification? Do you file your income taxes on one of your devices? Are you a clinician that stores electronic Patient Health Information (ePHI) on your university laptop? If so, chances are that your social security number is sitting on one or more of your devices. Or maybe you receive emails from your doctor or professor with your grades. Do you store your credit card numbers or passwords in a text file on your device to keep them handy when you need it (PLEASE don’t do that!). All of these are examples of High Risk and Sensitive data… i.e. data that you really don’t want anyone else to have access to.
Once you start thinking about what data you have and how important it is, take the next step and think about where you are storing that data and whether its location and protections are appropriate for its classification.
I have High Risk data, where/how should I store it? You should always encrypt High Risk data. If you’re a staff or faculty member, this means that your laptop should be encrypted with a university approved solution. Using an approved solution means that if you forget the password to unlock your data, there is an approved and monitored procedure to help you regain access. This is called “key escrow.” If you’re a student, you can use something as simple as an encrypted ZIP file to something as sophisticated as an encrypted storage device. Just remember that you need to be very careful when choosing a secret key to lock the data. Any data that you put on the device or program that truly encrypts your data will be unrecoverable without your chosen key. The trick, as with all passwords, is to make the key impossible for someone else to guess while making it easy for you to remember. You should consider using a password manager such as KeePass (Windows), KeePassX (Mac and Linux), or LastPass (multi-platform) to securely store your passwords and encryption keys and to assist with creating a strong password by using a random password generation feature.