Baylor isn't the only higher-ed institution that uses data classification to manage risk and security. Tom Davis, the chief security officer at Indiana University, has assigned members of his team to work with high-ranking individuals from each area of the institution who have responsibility for broad swathes of data. Their goal is to determine what standards and restrictions are required for different types of data, Davis says.
Likewise, Georgia State's Clark started focusing on data back in 2008. She says her team took a year working with so-called "data stewards" in each area to study which professionals needed access to what data and how much protection should be assigned to safeguard that data.
"We need to start thinking differently about what other things we can do to protect our data," Allen says. "For a long time, we were putting out fires, but what would be better is to find the combustible before it even starts to smolder."
That's a philosophy that applies not just to data classification but to universities' security efforts in general -- to stay out in front of the ever-changing landscape of threats.
"The people leading the way understand that it's not a single product" that will make their myriad systems secure, says Michael Maloof, CTO at TriGeo Network Security, a Post Falls, Idaho-based security software firm that counts institutions of higher education among its clients. "There's no one thing, no silver bullet. It's a layer of things, and it's an ongoing process."
Pratt is a Computerworld contributing writer in Waltham, Mass. You can contact her at firstname.lastname@example.org.
This story, "Universities that get security right" was originally published by Computerworld.