Carnegie Mellon University
October 19, 2015

Data Protection – Self-Assess your Data Security

With more reliance on computer systems to store and process sensitive data, there is always a risk the information may be misused or accessed by unauthorized individuals. University technical staff are tasked to set security controls and ensure that private and restricted institutional data is stored and processed securely.

The Information Security Office (ISO), in support of the University Information Security Policy, developed Guidelines for Data Protection These guidelines balance regulatory and compliance requirements for protecting institutional data stored on computer systems or in paper files with the need for authorized individuals to access information.

The Guidelines for Data Protection ensure security of confidential information; integrity of data in university systems; and reasonable availability of information based on its data classification. The guidelines present a set of eight control areas that are appropriate across the entire University. Each control area includes a set of security controls rated under three categories: optional, recommended and required.

In observance of the National Cybersecurity Awareness Month (NCSAM), ISO encourages business units and University technical staff to map existing security controls to the Guidelines for Data Protection.

Consider the following:

  • What type of data is stored or processed on a system?
  • What level of classification does this data carry (e.g. public, private, restricted)?
  • Who is authorized to access this data?
  • What type of access controls should be implemented on this system?
  • What level of security controls should be implemented?
  • Which policies, standards and compliance should the controls map to?

To assist in this evaluation, we developed a self-assessment worksheet. The worksheet includes a list of controls and instructions on how to assess each as well as additional resources.

We want to continuously improve this tool, so please send your comments and suggestions on the self-assessment worksheet to iso@andrew.cmu.edu.