Enforcing Data Security Policies: one approach

dricker — Sun, 02 Nov 2008 01:28:03 +0000

Choosing which sessions & presentations to attend at a conference like EDUCAUSE is a bit like being led to a table for dinner set with 20 times more food than you can eat.

And each dish is hidden underneath a towel.

And written on the towel is only the broad food group that the meal underneath belongs to: Meat, Grain, Pudding — I’m pretty sure pudding is a food group, no?

And you aren’t really looking at the actual dishes, but a black & white photograph of them. And . . . well, you get the idea.

So when it comes time to actually eat the meal you’ve chosen, sometimes it doesn’t taste quite as you’d envisioned. And this isn’t always a bad thing.

Take the Tuesday afternoon session titled simply Information Classification. The paragraph description promised a tale of how Prince George’s Community College in Maryland undertook the process of classifying and assigning security rights to all data gathered and maintained by the school.

Not quite heart-quickening stuff. But I was intrigued enough by the daunting scope of such a thing to want to hear more. Also I was curious to see how relevant the take-away would be to Thayer’s own data security efforts. So I tucked in . . .

Ajay Gupta, the Director of Security at PGCC, is engaging and funny, and spoke quite eloquently about their mammoth endeavor with a deep grasp on subtle (& not so) implications that are inherent in applying a rational order to chaos and madness.

Amazingly they did it. & he showed the spreadsheet to prove it. Wow. Lots and lots of data records to classify, let me tell you.

But he said something very interesting during the question session. He had talked a lot of the classifying and assigning ownership and abstract access rights, but almost nothing on enforcing the policies. What were the plans and tools in play for this brass-tacks part of the whole affair? Because for me, as primarily technical & support-focused, this was the filling of the pie. Yes, I am very dessert-driven.

His answer was short: “We’re not allowing any data to reside outside of the ERP system.”

I swear I could hear the needle slide off the phonograph.

Oh well. So much for my dessert.

By the way, just what the heck is an ERP system anyway? (Kidding!)

Computing@Thayer » Security

Enforcing Data Security Policies: one approach