Information Technology Staff
IT staff have a unique role in data categorization. Not only do you need to categorize the data that you create or use, but you may need to know how others are categorizing their data as well. Not knowing what types of data are stored on the technology that you are supporting technically makes it difficult to secure the data according to the category. Review the “take action” section of this page for guidance on your role with data categorization and in helping others understand the process.
Key Concepts for Data Categorization
(Resources to all four concepts can be found at: http://datacat.psu.edu/data-profile-search)
- Categorize. Know how to categorize data.
- Secure. Do your part and secure the data (everyone is responsible, not just you as an IT staff member).
- Store. Store data according to the category in permissible locations only.
- Preserve. Keep data for the proper amount of time and destroy according to the retention schedule.
Categorize your Data
A variety of data types with corresponding categories can be found at: http://datacat.psu.edu/data-profile-types. A combination of data types that correspond with differing categories should always use the highest category level. As an example, you may have a document that includes a combination of data categories – directory information (public data), employee home addresses (internal/controlled) and salary information (restricted). In this example, all three categories are represented; therefore, the document should be considered restricted. Check with the central Data Categorization Team (firstname.lastname@example.org) if a data type you are using is not listed or categorized.
- Bookmark and reference often the four key data categorization concepts searchable site.
- Become familiar with the Minimum Security Baseline (MSB), which is a set of security controls required for certain data categories.
- Connect with your unit Records Management Liaison (every department has an assigned liaison) to learn more about your responsibility. Contact the Records Management Program Staff 814-867-0286 to identify the liaison for your unit.
- Connect with other non-IT staff within your unit and build a professional relationship. Ask them to alert your team about new software or equipment purchase requests. In doing so, your team can make sure the necessary measures are in place to secure the data electronically and to confirm the software will not pose a security risk to the existing environment.
- Did you know that software purchases which involve internal/controlled or restricted data should be routed to either Purchasing or Risk Management prior to purchase? Click through agreements for online access to software also require special approval by one or both of these offices depending on the data involved. For more information, visit https://controller.psu.edu/risk-management/contract-information.
- Communicate and champion to customers within your unit about the suite of less than six-minute videos around data safeguards (http://datacat.psu.edu/restricted-data-safeguards-and-training/). As you know, data security is not an IT-only responsibility; it takes every employee to be aware of the risks and to make good decisions about where to store the data, how to secure the data and when to destroy the data.
- Install and set up regular scans for Personally Identifiable Information (PII) on endpoints and train staff on how to use the tool. In doing so, risks can be mitigated in advance.