Data Clacification Kit
Transcript of Data Clacification Kit
-
8/2/2019 Data Clacification Kit
1/24
State of Ohio
Data Classification Resource Kit
Office of Information Technology and the
Data Protection Subcommittee
August 11, 2008
-
8/2/2019 Data Clacification Kit
2/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Preface
This document was created as a result of the research conducted by the Data Protection
Subcommittee of the Multi-Agency CIO Advisory Council. Member agencies of thesubcommittee include:
Administrative Services
Aging
Alcohol and Drug Addiction
Attorney General
Auditor of State
Board of Regents
Budget and ManagementCommerce
Development
Education
EPA
eTech Ohio
Health
Industrial Commission
Insurance
Lottery Commission
Mental Health
Mental Retardation andDevelopmental Disabilities
Natural Resources
OAKS
Job and Family Services
Rehab and Corrections
OIT
Public Safety
PUCO
Rehab Services Commission
Taxation
Transportation
Workers CompensationYouth Services
For more information, contact:
Statewide IT PolicyInvestment and Governance DivisionOhio Office of Information Technology30 East Broad Street, 39th FloorColumbus, Ohio 43215
Telephone: 614-644-9352Facsimile: 614-644-9152E-mail: [email protected]
These materials can also be found on the Internet at: www.ohio.gov/itp
August 2008
mailto:[email protected]:[email protected]://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itpmailto:[email protected] -
8/2/2019 Data Clacification Kit
3/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Overview
The purpose of data classification is to assign data ownership, identify and document securityrequirements, and then translate such requirements into security controls and implementationcosts. Data classification is not just the act of designating or labeling data as confidential orcritical; it involves close collaboration between business units and IT organizations to workthrough issues that go well beyond IT.
This document is a compilation of resources to assist agencies in their data classification efforts.The resource kit consists of:
A diagram that illustrates the data classification process. Data classification process istypically initiated by a triggering event; for example: intake of new data sets, a proposednew business application or infrastructure capability, or an incident requiring securityremediation. The diagram helps frame the event by identifying the participants and
input materials needed to begin the process, as well as the outcomes the group willneed to work towards. A worksheet for this diagram is available as a separate document.
A classification scale adapted to public-sector organizations and developed in thecontext of Ohio state government. The scale provides general parameters forlow/moderate/high/extreme impact thresholds, and then relates these thresholds to thecategories defined in Ohio IT Policy ITP-B.11, Data Classification.
An account of an Ohio agencys experience with engaging their business units in dataclassification. The agency has created a worksheet and a set of process diagrams tohelp guide their data classifications.
An account of the Ohio Department of Educations data classification experience usingan ODE-developed tool called the Data Classification Meta Data Manager. This toolhelps catalogue agency databases. Job descriptions are also included in this section forthose individuals closely involved in the classification process, those who bridge thetechnical and business environments.
Table of Figures
Figure 1: Classification Process ...................................................................................... 3Figure 2: Data Classification Activity Worksheet ............................................................. 5Figure 3: Incident Impact Scale....................................................................................... 7Figure 4: ITP-B.11, State IT Policy Confidentiality Labels...............................................8Figure 5: ITP-B.11, State IT Policy Criticality Labels....................................................... 8Figure 6: Data Classification Process Diagram............................................................... 9Figure 7: Establish Confidentiality Subprocess Diagram............................................... 10Figure 8: Establish Criticality Subprocess Diagram....................................................... 11Figure 9: Data Classification Meta Data Manager Startup Screen................................ 16Figure 10: Data Classification Meta Data Manager Data Entry Screen......................... 16
Overview August 2008Page 1
-
8/2/2019 Data Clacification Kit
4/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Overview August 2008Page 2
Terms
The following terms are used throughout this document.
Availability - The assurance that information and services are delivered when needed. Certaindata must be available on demand or on a timely basis.
Confidentiality - The assurance that information is disclosed only to those systems or personswho are intended to receive the information. Areas in which confidentiality may be importantinclude nonpublic customer information, patient records, information about a pending criminalcase, or infrastructure specifications.
Data Coded representation of quantities, objects and actions. The word data is often usedinterchangeably with the word information in common usage.
Data owner Individual or group responsible for classifying data and generating guidelines forits lifecycle management. Synonymous with information owner.
Impact A combination of data confidentiality, integrity and availability. Whether a set of data isLOW, MEDIUM, HIGH, or of VERY HIGH impact will inform the criticality designation andwhether or not the set should be considered sensitive data.
Information Data processed into a form that has meaning and value to the recipient tosupport an action or decision. Information is often used interchangeably with data in commonusage.
Information owner Individual or group responsible for classifying data and generatingguidelines for its lifecycle management. Synonymous with data owner.
Integrity - The assurance that information is not changed by accident or through a malicious orotherwise criminal act. Because businesses, citizens and governments depend upon theaccuracy of data in state databases, agencies must ensure that data is protected from improper
change.
-
8/2/2019 Data Clacification Kit
5/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
A Data Classification ProcessFigure 1 illustrates a collaborative data classification process activity in terms of participants,input materials, activities and outcomes. The collaboration occurs between the business andtechnical parts of the agency as shown in the Participants block in the figure. A particular
agency instance of this process may include additional participants.
Focus on the questions Who?, What?and How?to create the appropriate level of guidance forhandling data by agency line staff, IT staff and the agencys information sharing partners.
Figure 1: Classification Process
Participants Identify the principal stakeholders. Who is the business unit data owner? Whodecides how the information is utilized in the business unit or whether it is shared with otherorganizations? Who can provide information on the handling requirements? Who maintains thedata and the security controls protecting it? Both the business and IT sides of the organizationwill need to be adequately represented in the process. Over time, these roles will become morerecognizable and allow for refinement of the agency classification process.
Materials Gather any documentation on where data is maintained within the agency and howdata is protected. Note that the scope of this task is beyond the IT organization. Has a riskassessment been performed for any of the agencys information systems? Are potential threats,vulnerabilities, and existing security controls already documented, such as in a Privacy ImpactAssessment? Are there other (e.g., federal) data classification materials that might help informthe process? What federal or state laws inform the use of the data? What other materials wereused in previous data classification events? Some materials will likely need to be reviewed byparticipants before meeting.
Activities Once all stakeholders and relevant documentation have been identified, designatethe most appropriate data owner: that is, someone who can determine data sensitivity and canalso work with senior executives to determine data criticality. This is most often the unit thatcollects or uses the data. Ensure that existing security controls are consistently applied to data
Data Classification Process August 2008Page 3
-
8/2/2019 Data Clacification Kit
6/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Data Classification Process August 2008Page 4
using the classification scheme. Identify whether any data is improperly categorized or secured,or even if the data needs to be collected at all.
Outcomes The ultimate goal of the data classification collaborative activity is to:
Establish and document the identification of ownership for a particular set of data. Ensure that the minimum amount of data is collected to support the business use. This
goal may involve reducing the amount of data that the agency collects. Streamlining thedata collection process not only reduces the amount of storage needed to maintain adata set, it also minimizes the amount of risk and liability the agency assumes incollecting and maintaining information.
Assess whether appropriate security controls are in place, and whether requirementsneed to be defined for additional controls.
Begin a data classification practice that can be repeated for other data sets.
The data classification activity will enable the IT part of the agency to have a clearerunderstanding of how data owners require their data to be handled during operations. ITs
responsibility then becomes the proper administration of security controls.
-
8/2/2019 Data Clacification Kit
7/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Figure 2: Data Classification Activity Worksheet
This worksheet in MS Word format may also be found atwww.ohio.gov/itp
Page 5 Data Classification Process August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
8/24
Multi-Agency CIO Advisory Council yData Protection Subcommittee Data Classification Resource Kit
Ohio Office of Information Technolog
Page 6 Data Classification Process August 2008
-
8/2/2019 Data Clacification Kit
9/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Page 7 Incident Impact Scale August 2008
Incident Impact Scale
During the classification event, a tool to measure the impact of a security breach incident on theagency is helpful to gauge data sensitivity. An example of such a scale is shown below asFigure 3. This generic scale must be adjusted to be compatible with the agency valuation ofdata in specific contexts or applications. The agency baseline protection required by State of
Ohio IT policies should be adequate for all assets with LOW sensitivity. Ratings of MODERATEand HIGH imply additional forms of protection. Use of rating EXTREME should be rare.
Figure 3: Incident Impact Scale
IMPACT FACTOR LOW (default) MODERATE HIGH EXTREME (rare)
Ability to Perform None or slight Duration: < 1 dayStaff Impact: < 10% of agency
staff downtimeInformation system downtime,
project delay
Duration: > 1 dayStaff Impact: > 10% of
agency staff downtimeImpacts a mission critical
process
Completecompromise
Victims Welfare None or slight Individual: Delay in benefits or
service, undue stress
Loss of benefits or service,
privacy, doctor-patientprivilege, attorney-clientprivilege, trade secrets, IP
Serious injury
loss of life
or
Victims FinancialBurden
None or slight Individual: loss of 1 monthsincome or benefits or service
Business: loss of 1 monthsincome
Individual: loss of 1+ monthsincome or benefits orservice
Business: loss of 1+ monthsincome
Permanent loss ofall income orbenefits or services
FinancialRemediation
None or slight < $25K (or within agencyspending authority)
Amount requires OIT orControlling Board approval
Equal to 100% ofagency budget
FinancialSanctions
None or slight < $25K (or within agencyspending authority)
Percent of agency budget
Amount requires OIT orControlling Board approval
Percent of agency budget
Equal to 100% ofagency budget
Legal Impact None or slight Limited risk associated with acivil suit
Limited regulatory requirements
Significant risk associatedwith a civil suit
Stringent regulatoryrequirements
Reputation None or slight Intense media scrutinyBudget reductionsLoss of political capital
Loss of public confidenceLoss of legislature
support/funding
Loss of statutoryauthority
Below is a possible mapping of Impact Scale to State of Ohio Data Classification Labels after consideringthe probability associated with the occurrence of a particular security breach incident.
ConfidentialityLabel
CriticalityLabel
PUBLIC
LIMITED ACCESS
RESTRICTED
LOW
MEDIUM
HIGH
VERY HIGH
-
8/2/2019 Data Clacification Kit
10/24
Multi-Agency CIO Advisory Council yData Protection Subcommittee Data Classification Resource Kit
Ohio Office of Information Technolog
Page 8 Incident Impact Scale August 2008
When using the incident impact scale, consider the following aspects of the data set:
Confidentiality if data is disclosed, how serious are the consequences? A publicrecord disclosure will likely have a very low impact on an agency; a breach involvingrestricted data may incur significant costs or a loss of public confidence.
Integrity if data is lost (i.e., deleted), what is the impact on agency business
processes? What amount of resources would be necessary to recapture the data? Doesthis data need to be collected anyway? Availability if information is not available for a business transaction, what is the
result?
Use the incident impact scale to inform the appropriate categories for data as required by ITP-B.11, Data Classification. Each data set will require a confidentiality and criticality label fromFigures 4 and 5.
Figure 4: ITP-B.11, State IT Policy Confidentiality Labels
ConfidentialityPUBLIC Includes information that must be released under Ohio
public records law or instances where an agencyunconditionally waives an exception to the public recordslaw.
LIMITED Applies to information that an agency may release if itACCESS chooses to waive an exception to the public records law
and places conditions or limitations on such a release.
RESTRICTED Applies to information, the release of which is prohibitedby state or federal law. This label also applies to recordsthat an agency has discretion to release under publicrecords law exceptions but has chosen to treat theinformation as highly confidential.
Figure 5: ITP-B.11, State IT Policy Criticality Labels
CriticalityLOW The loss of data integrity or availability would result in
insignificant or no financial loss, legal liability, publicdistrust, or harm to public health and welfare.
MEDIUM The loss of data integrity or availability would result inlimited financial loss, legal liability, public distrust, or harmto public health and welfare.
HIGH The loss of data integrity or availability would result in
significant financial loss, legal liability, public distrust, orharm to public health and welfare.
VERY HIGH The loss of data integrity or availability would result incatastrophic financial loss, legal liability, public distrust, orharm to public health and welfare.
-
8/2/2019 Data Clacification Kit
11/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Study A: Agency Data Classification Initiative
Introduction
The Ohio agency has developed a set of process diagrams and a worksheet (see DataClassification Worksheet, p. 13) to help guide the data classification event. Completion of the
worksheet initiates the classification process. A diagram of this process is provided in Figure 6.
Figure 6: Data Classification Process Diagram
Define scope of data classification effort: Personnel involvedin the Data Classification team are identified along with theirdivision and unit. The Data Classification team also determineswhich datasets are included in a classification event. This maybe a particular information system or a general area of interest.
Document data fields of the data set: The discretecomponents of the data set are catalogued. This may beindividual data fields, a set of sequential files, or other data
schemes.Document data use: The business reasons for compiling eachdata component are identified and catalogued. What drives thecollection of this information: legal compliance? businessintelligence?
Document data origin/source: Federal, state, and otherinternal data sources are documented. For data drawn fromcustomers, a distinction is made between business andindividual types of customers.
Document data distribution: The Data Classification teamdocuments any other information systems and business
processes supported by the data set. Relationships withexternal organizations that access the data set are identified.
Determine data classification labels: The Data Classificationteam assigns confidentiality and criticality labels to the dataset(See Figures 7 and 8). The rationale for using a particular labelis also documented.
Determine data retention requirements: The DataClassification team identifies the length of the retention periodfor the data set, whether it is stored on-line or off-line, and themanner in which data is destroyed.
Document data business continuity/disaster recovery
requirements: A determination is made as to whether thebusiness unit can function without the data, and if so, for howlong?
Update disclosure/security awareness training: Incidentresponse disclosure or security awareness training materialsrelated to the data set are updated to reflect any changes as aresult of classification.
Page 9 Study A: Data Classification Initiative August 2008
-
8/2/2019 Data Clacification Kit
12/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Figure 7: Establish Confidentiality Subprocess Diagram
The subprocess shown in Figure 7 is used to determine the appropriate confidentiality label fora dataset. This elaborates on the Determine data classification labels step shown in Figure6. Data is categorized as either public or non-public information. If the data is not PUBLIC, anadditional set of criteria is applied to determine if access or other security controls arenecessary. The process concludes in the assignment of a confidentiality label.
Page 10 Study A: Data Classification Initiative August 2008
-
8/2/2019 Data Clacification Kit
13/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Figure 8: Establish Criticality Subprocess Diagram
The subprocess shown in Figure 8 is used to determine the appropriate criticality label for adataset. This elaborates on the Determine data classification labels step shown in Figure6. Different forms of loss down time, reputation, money are used to determine the impact oflosing data. The process concludes in the assignment of a LOW, MEDIUM or HIGH criticalityrating.
Page 11 Study A: Data Classification Initiative August 2008
-
8/2/2019 Data Clacification Kit
14/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Page 12 Study A: Data Classification Initiative August 2008
-
8/2/2019 Data Clacification Kit
15/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Data Classification Worksheet
The purpose of this worksheet is to gather information necessary to classify and labelagency data. Please fill in any information you can supply. A Data Classification team
consisting of agency personnel who are most familiar with the applicable system will betasked with contributing to this effort.
Scope (system or area of interest)Contributors
Name Division Unit
Data OwnerDocument dataset(s), sequential files, data field(s), security matrix, externaldata feeds, etc.(attach listing if appropriate; large systems list generic namingconvention/qualifier)
Data Classification(see process flows for assistance)Determine data confidentiality class
Restricted Limited Access PublicWhy:
Determine data criticality classVery High High Medium LowWhy:Data UsageWho accesses the data?What levels of access are applicable (view/update)?When was the last review of system users and their access levels?Is the same data stored/duplicated anywhere else?If yes, where? Can the data be consolidated?Is ALL of the data collected being used?Can any of the data be reduced or eliminated?
Data OriginList Federal sources:List State sources:Other Agency System(s):Customer(s)
Business Individual
Page 13 Study A: Data Classification Initiative August 2008
-
8/2/2019 Data Clacification Kit
16/24
Multi-Agency CIO Advisory Council yData Protection Subcommittee Data Classification Resource Kit
Ohio Office of Information Technolog
Page 14 Study A: Data Classification Initiative August 2008
Data Classification Worksheet
The purpose of this worksheet is to gather information necessary to classify and labelagency data. Please fill in any information you can supply. A Data Classification teamconsisting of agency personnel who are most familiar with the applicable system will betasked with contributing to this effort.
Data DistributionDoes this data feed other internal system/business processes? List all that apply.Is this data shared with external agencies or other entities? List all that apply.
If yes, what controls/safeguards are in place to protect this data when it leavesour systems?
Data RetentionHow long is the data retained?
Why?What is the business requirement for retention?What are the legal requirements for retention?Where is the data retained?
On-line Off-lineHow is old data destroyed?Disaster RecoveryCan the Business Unit function if the data is unavailable?If yes, for how long?Training
Does training need to be updated?
Disclosure Training.Describe changes needed:
Security Awareness trainingDescribe changes needed:
A meeting will be scheduled to formally discuss and classify the applicable system/data.Please come to the meeting prepared to provide as much applicable information aspossible.
This worksheet in MS Word format may also be found atwww.ohio.gov/itp
http://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
17/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Study B: Department of Education Data Classification Initiative
Introduction
The Ohio Department of Education (ODE) maintains a comprehensive data warehouse and asubstantial number of subordinate databases containing academic and fiscal data, including a
significant amount of sensitive personal information. To help understand this mass of data anddetermine appropriate security requirements for its protection, the agency has created a dataclassification process with software to support it. This section describes the components of theagencys tool and some of the business processes supporting its usage.
Business Unit
The agencys data classification effort began in 2004 with the development of a group ofexperienced business analysts involved in data management roles. This group was establishedto integrate data management into the agency program offices.
Each of these analysts represents a major functional area within the agency:
Center for Curriculum and Assessment Center for Operations Center for School Finance Center for School Improvement Center for Students, Families, and Communities Center for the Teaching Profession Superintendency/Chief of Staff/Policy Research and Accountability
Some functional areas have more than one analyst. A majority of these analysts are classifiedas Data Administration Managers 1 or 2, with one level 3 to manage the group (see appendixesfor position descriptions). The group meets on a weekly basis. While the members areembedded in each of the functional business areas of the agency, they report through the DataManagement Office, which is an element of the Information Technology Office.
Tool Development
With the development of the Information Security Program, the agency identified the need tohave a tool to help catalog and classify the information being used by the agency. The firstgeneration of the classification tool began as an MS Excel spreadsheet, though this format laterproved too cumbersome. The agency also examined a university-developed application, thoughthis tool did not meet the agency requirements. Finally, a decision was made to develop theapplication internally.
Mini-data dictionaries from all the production databases were compiled into an MS Accessdatabase dubbed Data Classification Meta Data Manager. Database system tables (i.e.,
metadata) were determined to be out of scope for the effort and not included in the compilation.Once all table and field structures were absorbed into the Meta Data Manager, work began onidentifying information owners for each dataset.
Page 15 Study B: Department of Education Data Classification Initiative August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
18/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Entry into the application begins through the screen shown in Figure 9.
Figure 9: Data Classification Meta Data Manager Startup Screen
The user selects a particular database to work in. Actual data-entry occurs in the screen shownin Figure 10.
Figure 10: Data Classification Meta Data Manager Data Entry Screen
Classification is table-based, i.e., users select a table within a database and then determine itsclassification and criticality. The currently selected database and table name appear in theupper-left, and the grid in the center displays each field contained inside the table. The set ofcontrols in the upper-right permit the user to indicate:
the Information Owner for the data set; the name of the Data Manager performing the most recent edit;
Page 16 Study B: Department of Education Data Classification Initiative August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
19/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
the Classification assignment: PUBLIC, FOR INTERNAL USE (LIMITED USE), orRESTRICTED, as defined in Ohio IT Policy ITP-B.11, Data Classification;
the Criticality assignment: LOW, MEDIUM, HIGH, or VERY HIGH, as defined in ITP-B.11; and
whether Personally Identifiable Information exists in the table.
Where an owner for a particular set of data cannot be identified, the agencys chief informationofficer works with agency senior leadership to determine ownership.
Challenges and Solutions
As with any classification effort, the agency encountered some challenges. The followingsection addresses the challenges faced and solutions developed by ODE.
Challenge: Information inventory As with any organization, information comes intoODE through a number of avenues. Because not all information is stored in enterprisedatabases, locating information and information stores is difficult for someone outside ofthe individual business areas. This makes it critical for the business units to understandthe effort and assist in the process.
Solution: As discussed earlier in this study, the agency has leveraged the datamanagement structure to aid in data classification. This unit understands the data beingused in the various functional areas and has direct contact with the individual informationowners to assist with proper classification. The tool ODE developed also aids in theprocess by creating a single repository to collect classification information.
ODE began by classifying its production database tables. This allows the agency toclassify a large amount of data quickly. Using the production databases to begin its effortallowed the agency to learn about information classification using data stores that arewell understood.
The tool was designed to allow ODE to expand the classification to a more granular fieldlevel solution in the future. The tool is also versatile enough to allow the agency toexpand it to office-level data stores as our classification effort matures.
Challenge: Clear Direction Policy is the foundation of any classification effort butpolicy alone will not solve the problem. Any classification effort will require a strongchampion at appropriate levels of the organization and a clear direction.
Solution: ODE developed their classification model based on Ohio IT Policy ITP-B.11,Data Classification. This gave us the basic framework for classification and allowed theagency to focus on the how rather than the model itself.
ODE Senior Leadership supported the Information Security efforts from the outset,beginning with the agency-wide directive establishing the program. This directive set thetone at the top of the agency that Information Security was a priority. In addition, thedirective established an Information Security Steering Committee that is made up ofbusiness unit leaders from all areas of the agency. This committee reviews allinformation security policies prior to them being sent to Senior Leaders for approval.Because the committee is representative of the agency as a whole, there are championsof the effort in virtually every business unit.
Page 17 Study B: Department of Education Data Classification Initiative August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
20/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Challenge: Organization - Using an embedded personnel structure requires clearlydefined roles and responsibilities to reduce the tendency to think of the embedded roleas another FTE to use for miscellaneous tasks.
Solution: The agency struggled with this initially but through continued meetings withbusiness unit leaders and support from Senior Leaders, the position has become more
clearly defined. The position descriptions in the appendices are now a starting point toclarifying the roles and responsibilities of the data manager. More detailed job duties willbe included in future position descriptions including information security responsibilities.
Future Benefits
ODE believes that it will realize many future benefits from using this approach to dataclassification.
Legacy and production staff can use the classification tool to evaluate new systemsbefore they are made available online to assess if sensitive data derived from oldersystems is present.
When complete, the classification tool will aid report creators in properly classifying theReports based upon the classification of data being used.
The agency currently leverages the Data Management team to minimizeextraneous/unnecessary data collected and to further align information usage inaccordance with Ohio Revised Code 1347. Using the classification tool, the DataManagement team will be able to have a more comprehensive view of what is beingcollected in the various business units.
Page 18 Study B: Department of Education Data Classification Initiative August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
21/24
Multi-Agency CIO Advisory Council Ohio Office of Information TechnologyData Protection Subcommittee Data Classification Resource Kit
Job Duties for Data Administration Manager 1
CLASS TITLE: Data Administration Manager 1CLASS NUMBER: 67171
BARGAINING UNIT: EX
JOB DUTIES IN ORDER OF IMPORTANCE: (These duties are illustrative only. Incumbentsmay perform some or all of these duties or other job-related duties as assigned.) Participates aspart of team of information technology professionals &/or program staf to develop, publish &enforce policies regarding data administration that are consistent with department's long termdirection, works in conjunction with area responsible for developing standards for new & existingdata definition (e.g., name, length, field), conducts product evaluations & makesrecommendations for appropriate software selection to maintain data administration information,assists in design & development of databases to include database security measures/controls,determines how data is accumulated & maintained (e.g., update, security &/or backupprocedures), determines who has access rights to levels of data, sets archive policies for data
(e.g., identifies data to be archived; where to archive; how to archive) & specifies how data &definitions are removed from system.
Maintains data dictionary; ensures all items & definitions in data dictionary are documented;creates & maintains cross reference documents to other programs &/or data items; ensuressystem definition follows metadata; ensures data is used & maintained in line with vision ofdepartment by reviewing logical data models &/or information gain via feasibility studies &/orgeneral system design document; works with staff in standards area to ensure namingstandards are consistent & follow all procedures that have been set forth by department; workswith database analysts in turning logical data model into physical data model; provides technicalsupport to on-going data development efforts.
Attends seminars &/or classes for training in database &/or data administration (i.e., purpose oftraining is to develop & refine established skills & enable incumbents to work independently asdata policy manager & to stay abreast of new technologies related to data administration);researches & refers to programming standards manuals or technical computer documentation toassist in program development or problem solving; operates computer terminal to access, enter,retrieve & test data.
Page 19 Study B: Department of Education Data Classification Initiative August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
22/24
Multi-Agency CIO Advisory Council yData Protection Subcommittee Data Classification Resource Kit
Ohio Office of Information Technolog
Page 20 Study B: Department of Education Data Classification Initiative August 2008
Job Duties for Data Administration Manager 2
CLASS TITLE: Data Administration Manager 2CLASS NUMBER: 67172BARGAINING UNIT: EX
JOB DUTIES IN ORDER OF IMPORTANCE: (These duties are illustrative only. Incumbentsmay perform some or all of these duties or other job-related duties as assigned.) Independentlyor leads team of information technology professionals &/or program staff to develop, publish &enforce policies regarding data administration that are consistent with department's long termdirection, monitors long term system integration, works in conjunction with area responsible fordeveloping standards for new & existing data definition (e.g., name, length, field), determinesappropriate software selection to maintain data administration standards, writes softwareprocurement justifications, provides input in design & development databases (e.g., ensureseffective use of data; determines data end user needs; where data is stored; how current dataneeds to be; what metadata describes data; where data elements originate from in systemsflow; what business transactions cause data to enter system; what causes data to be updated),
determines how data is accumulated & maintained (e.g., update, security &/or backupprocedures), determines who has access to levels of data, sets archive policies for data (e.g.,identifies data to be archived; where to archive; how to archive), specifies how data & definitionsare removed from system & provides mentoring &/or act as lead worker (i.e., provides workdirection & training; tracks status of projects) over lower-level data administration managers &/orother information technology personnel.
Assists upper management in developing corporate information strategies; ensures strategiesfrom high-level management are implemented; maintains &/or oversees maintenance of datadictionary; ensures all items & definitions in data dictionary are documented & cross referencedto other programs &/or data items & updated; ensures system definition follows metadata;ensures data is used & maintained in line with vision of department; works with staff instandards area to ensure naming standards are consistent; works with database analysts inturning logical data model into physical data model; provides technical support to on-going datadevelopment efforts.
Attends seminars &/or classes for training in database &/or data administration (i.e., purpose oftraining is to develop & refine established skills & enable incumbents to work independently asdata policy manager & to stay abreast of new technologies related to data administration);researches & refers to programming standards manuals or technical computer documentation toassist in program development or problem-solving; operates computer terminal to access, enter,retrieve & test data.
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
23/24
Data Classification Resource Kit
August 2008
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itp -
8/2/2019 Data Clacification Kit
24/24
Data Classification Resource Kit
Statewide IT PolicyInvestment and Governance DivisionOhio Office of Information Technology30 East Broad Street, 39th FloorColumbus, Ohio 43215
Telephone: 614-644-9352Facsimile: 614-644-9152E-mail: [email protected]
http://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itphttp://www.ohio.gov/itpmailto:[email protected]:[email protected]