Carnegie Mellon University

Guidelines for Data Protection - Approach


The University’s Information Security Policy states that all Institutional Data must be protected in a reasonable and appropriate manner based on the level of sensitivity, value and/or criticality that the data has to the University. This requirement acknowledges that different types of data require different sets of security controls. The University has defined three classifications of data for this purpose: Public, Private and Restricted. The following is a brief explanation of each. For more information, see the Guidelines for Data Classification.

Classification Definition
Public Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.  Examples of Public data include press releases, course information and research publications.  While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
Private Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates.  By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data.  A reasonable level of security controls should be applied to Private data.
Restricted Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates.  Examples of Restricted data include data protected by state and/or federal regulations and data protected by confidentiality agreements or other contractual obligations.  The highest level of security controls should be applied to Restricted data.

This Guideline defines eight control areas.  They are as follows:

Identifier Control Area
AS Application Security
DR Disaster Recovery
EA Electronic Access Control
EN Encryption
IS Information System Security
ME Media Sanitization and Disposal
NS Network Security
PS Physical Security

Within each control area is a collection of security controls.  Each security control is assigned a unique identifier consisting of two letters and a number.  The letters represent the control area, as denoted above in the table, and the number simply provides uniqueness. Each security control is then assigned three control ratings, one for each classification of data, illustrating whether the control is appropriate.  These control ratings are defined as follows.

Control Rating Definition
Optional The security control is optional for the designated classification of data. This does not imply that the control should not be implemented. Business units that would like to go above and beyond baseline requirements are encouraged to evaluate all controls for appropriateness.
Recommended The security control is recommended for the designated classification of data but is not required due to limitations in available technology or because the control could potentially place an undue burden on a business unit to implement. Business units should document their justification for not implementing a ‘Recommended’ security control and whether or not a compensating control has been implemented.
Required The security control is required for the designated classification of data. In situations where a ‘Required’ security control cannot be implemented, the Procedure for Policy Exception Handling should be followed. This process allows for a more formalized tracking and approval of security risks across the University.

This Guideline reflects a common set of controls that are appropriate across the entire University. It is important to note that additional or more specific security controls may be required based on individual business requirements (e.g. contractual and/or regulatory obligations). Many Industry business practices and regulatory requirements have been considered in the development of this Guideline; however, it may not be comprehensive in certain situations. Business units should consider mapping contractual and/or regulatory obligations to this Guideline to ensure there are no gaps in their own controls.