UC InfoSec

UC Home

Maps

A-Z Index

Web Search

People Search

Blackboard OneStop Libraries BOL E-mail UCMail

UC Tools

From the AVP
Events
How To...
Top 10...
Threat/Countermeasure
Software Guide
Training & Education
Media - RSS Feeds

Compliance & Law
InfoSec Policies
Projects
Risk Management
Standards & Guidelines
Services
Meet the Team

InfoSec Home
UCit Home

Myths of Information Security:
Everything needs to be protected!

When you think about the total amount of data that goes across our university on a daily basis protecting all of it becomes a daunting, if not impossible, task. It is hard to wrap one’s mind around how much a gigabyte of data is, let alone trying to conceptually understand what a terabyte of data is! Does it seem that current regulatory requirements and Information Security professionals are saying that all this data needs to be protected? Not true… that is a myth generated to scare the masses! For most of our departments or colleges the reality is that only 5-10% of the data that transverses their infrastructure or sits within electronic and physical filing cabinets is sensitive enough to need protection.

How do we differentiate between data that needs to be protected and data that does not need protected? One answer is for us to embrace a campus wide data classification scheme that allows the owner of the data to decide which of their data should be treated as:

Highly Restricted
Sensitive
Public

Once data owners classify their data they can then make smart choices about which data to protect and which data not to protect. This also allows the site data owners to save money by purchasing tools or establishing business processes that protect the 5-10% of data that requires extra protection vs. trying to protect 100% of the data flowing through their work areas.

To be clear, I am not saying that we need to choose between protecting a small percentage of our data or maintaining our IT independence or freedoms. I am saying that by focusing on the small amount (5-10%) of data that truly needs to be protected we can lessen the complexity and obtrusiveness of data protection and regulatory compliance while reducing the cost of people, time and dollars.

We are the custodians of data that we are legally required to protect and secure. To do this will require small sacrifices on our part, like having to wear a seat belt when driving a car in Ohio, but if we focus our attention and tightened security on the small percentage of data that needs to be protected we might actually find out that we can have our security and our freedoms too.

- Kevin L. McLaughlin

Myths of Information Security: Everything needs to be protected!

- Kevin L. McLaughlin

Featured Article

Myths of Information Security:
Everything needs to be protected!