These exercises provide you with the opportunity to apply concepts and ideas that have been presented in the text and discussion so far. They also provide you the chance to continue to look for the missing links – the needs we’ve not identified yet, or the implications of choices you’ve just made (wearing your brand-new Information Security hat) that we’ve not thought of before. In most cases, you’ll need to use an example to illustrate your reasoning; this should be a real-world example, drawn either from your own personal and professional experiences or from events reported on in the news or professional literature.
Strong Hint: You may need to go beyond the textbook, and do some additional inquiry & research on the Web, to make a meaningful and complete answer to these questions. As you do, be sure to cite your sources in your submitted answers!
This week, we’ll look more closely at data classification, and apply these concepts in a context you’re all familiar with – a modern online university! Think about your experience as a student; choosing a school, as a subject area to major in, enrolling in a program and taking courses leading to your target degree. Think too about this information system (it takes in your minds, and produces more well-educated, more powerfully thinking ones, if it’s working properly!) from two other perspectives as well. First, look at the overall “customer chain” that reflects the needs and wants of employers or other schools that hire or enroll a university’s graduates. Next, consider things from an investor or owner-operator perspective: the one that focuses on effective use of resources to achieve the goals of the university.
Suppose that you work for the Chief Academic Officer at this University, and you’ve been asked to develop some first thoughts about how to “classify” its data, information, and knowledge, in terms of information security and assurance needs. (You may find it best to organize your answers to these questions in tabular form, and think about how you’d present these findings to the CAO as you develop them.)
First, identify eight to ten major information assets – not “information systems” or “information technology systems” that create, maintain, or make that information useful, but the information itself. What does who know, that they do what with? Choose these so that they reflect the span of university activities, from marketing for new enrollments, educating students, gaining new endowments, and internal management and control of resources, plans, and programs.
For each information asset, develop a classification for it, that reflects or can guide how much or how little control it needs. How much of each “C-I-A” does each data item in that asset, or the whole asset itself, seem to need? Note this step is not how to protect, but “why does it need how much or what kind” of protection! Briefly, explain your decision.
For each information asset, identify those classes or groups of users who need to use that asset (in what ways), and link this to your classification guide.
Now consider a few “test cases,” and apply them to your classification guide, and see if anything breaks:
Research, by students or faculty, based in part on class activities; this research could ultimately lead to publication of research findings and data
Regulatory reporting requirements, such as for numbers of students enrolled, successfully completing requirements, etc.; note these reports often need to show aggregate demographic data, such as race and ethnicity, economic or employment status, home domicile or study location, financial aid use, etc.
Student transcriipt production and distribution
Course and program content evaluation and improvement, based in part on student performance (individual assignments and overall grades), student and faculty evaluation comments, etc.
Complaint investigation, such as for arbitrary and capricious grading, plagiarism, etc.
5. Evaluate how well your classification guide stands up to these tests. Are modifications needed, or do you need to completely rethink things? Explain your reasoning.
