“Clas-si-fied (/ˈklæsɪfaɪd/)” - What’s that?
Have you ever thought about what information at CERN should or must be classified as confidential? Or public? What does “confidential” mean anyway? European law, for example, requires proper protection of your medical files. At CERN, for security reasons your passwords are yours and only yours (remember: “Your password is your toothbrush”). And it is in your own interest that your credit card details are kept confidential, too. But what about your office location, your CERN phone number, or your official photo for your CERN card?
CERN is now working on a coherent policy for classifying data, with the upcoming Data Protection Policy (DPP) currently under development by the CERN Legal Service, the GS, HR and IT Departments, and the Computer Security Team. The essential first step for such a DPP is a clear definition of which data must be kept confidential and which data can be treated as public. The draft Data Classification Policy (DCP) proposes four levels of classification: “Sensitive”, “Restricted”, “Internal” and “Public”:
• “Sensitive Data” is considered to be all data which, if disclosed, would compromise personal data privacy and/or could cause damage to CERN or its reputation or impede its work. It is highly confidential and proper protection, including data encryption or equal security, is paramount;
• “Restricted Data” is confidential, too. Its circulation is required for operational purposes but wide-spread disclosure is unacceptable. Therefore, access is only granted on a need-to-know basis;
• “Internal Data” is not confidential as such, but is intended for an internal audience only. The audience is “CERN”, i.e. all Members of the Personnel;
• Finally, “Public Data” is intended for disclosure, and the audience is unlimited.
We avoided using the term “confidential” as a classification level since it is inconsistently used at CERN and could create confusion.
Complementary to this classification scheme is a list of examples for each of these levels. While it does not claim to be exhaustive, it is intended to give guidance on how certain CERN data should be classified. It is important to have the agreement of stakeholders as CERN is currently in a transitional phase with respect to the handling of data, and the classification system will be a major development.
The full details of this draft policy and the list of examples can be found here. As this policy is currently under development, we eagerly await your feedback, comments and input, in particular on the list of examples. Please contact us at Computer.Security@cern.ch. Once approved, compliance with the DCP will be obligatory. The next step is the definition of policies for storing, accessing and transferring any kind of data, regardless of their format (digital or hard-copy) or on which media they reside. Stay tuned!
For further information, please check our web site.