« Vague post is vague | Main | Working Group Reports »

October 07, 2011

Data Security Resources

A list of what a proper resource solution should provide in terms of meeting data security recommendation practices. This is a proposed organization.

-------------------------
Data Classification

There are a host of documents available through IIA but I'm relatively familiar with them so will skip. The following are one-off documents that appear to be somewhat homeless but still may be useful.

A 2008 memo on sensitive data handling. To summarize, no sensitive data on desktop computers, removable storage or email.

Guidelines for the Contract for Obtaining Sensitive Data from the Toledo Adolescent Relationships Study - an example of a highly specific data handling agreement that covers collaborators, backups, replication, destruction, transmission and other facets of data storage.

Protecting Confidential Data on Personal Computers with Storage Capsules - A paper by UM researchers on a method for isolating sensitive data on a desktop computer from malware that may reside on the computer.

Criteria for sensitive data protection plans
- storage requirements for sensitive data, derived data is addressed, network solutions need not apply.

Research Data Strategy: Considerations of the Blue Ribbon Panel - Interesting snippet:

"Data is often not classified leading to data either being over protected because everything is treated like sensitive data or everything is under-protected by treating everything as public data"

-----------------
Appropriate Data Storage Solution

Should cover:

Access Authentication
Access Authorization
Access/Activity Logging
Account Management
Password Management
Disaster Recovery/Business Continuity Plan

Available Resources:

East Hall's IT group has a pretty good list up. Sensitive data seem to be a deal breaker, however. Value Storage's FAQ states that "is not intended for data that is [sic] considered sensitive, private/confidential or critical to the operation of the university. Value Storage may be considered for such data when the customer environment is tightly managed according to the guidance provided below."

Mainstream Storage's Service Level Agreement recommends users "exercise caution when storing sensitive data in Mainstream Storage space."

-----------------------------------
Encryption Solution

Should cover:

Digital Media Protection

Available Resources:
SafeComputing on Mobile Device Security (MDS) appears to be the best, single, UM-derived resource. Includes webcasts walkthrough on protecting data in motion and at rest.

White Paper on MDS. See page 3 for practical recommendations.

A more exhaustive take on MDS targeting IT folks is also available from this site.

------------------
Backup Solution

Should Cover:
Backup Requirements
Disaster Recovery/Business Continuity Plan

Available Resources:
As I understand it, Tivoli Storage Manager (TSM) Backup Service, will be available for researchers within LSA soon.

This should assist in meeting Disaster Recovery needs because TSM "has full UPS redundancy, enhanced electrical systems, fire protection, security systems, and environmental alarms...[and] is replicated"

---------------
Physical Security Solution

Should cover:

Physical Security - Mandatory
Physical Security - Recommended

Resources:
Not much right now. An likely outdated document with contact information identifying who to contact if, for example, you want to put in a key request at the LSA. I have a feeling this doesn't apply at the unit level in all instances.

---------------------------
Don't Require Solution

Should cover:
Third Party Data Handling
Audit/Review (of applicable procedures)

-------------------------------
Training Opportunity Solution

Should Cover:
Training and Awareness of Data Handling and Applicable Regulations

------------------------------------


Miscellaneous

Notes from LSA IT on secure server configuration available here.

Posted by kkwaiser at October 7, 2011 10:06 AM

Trackback Pings

TrackBack URL for this entry:
http://mblog.lib.umich.edu/mt-bin/mt-tb.cgi/2262

Listed below are links to weblogs that reference Data Security Resources:

» Fake Oakley from Fake Oakley
Data Discussions: Data Security Resources [Read More]

Tracked on February 25, 2014 08:18 AM

» cheap hermes belts from cheap hermes belts
Data Discussions: Data Security Resources [Read More]

Tracked on March 3, 2014 03:55 PM

» www.mylittlemess.net from www.mylittlemess.net
Data Discussions: Data Security Resources [Read More]

Tracked on March 3, 2014 05:11 PM

» frogdogdesign.com from frogdogdesign.com
Data Discussions: Data Security Resources [Read More]

Tracked on March 3, 2014 05:46 PM

» granite countertops from granite countertops
Data Discussions: Data Security Resources [Read More]

Tracked on April 2, 2014 04:06 PM

Comments

Login to leave a comment. Create a new account.