Allen acknowledges that Baylor's philosophy is still evolving into an actual practice and has yet to reach its full potential. The practice, which has its roots in risk management, allows the university to identify which data carries a low occurrence/low impact risk and which should be assigned to a higher category of concern. "If it's a low occurrence but has a big impact if something happens, then it's categorized as high risk," he explains.
Baylor isn't the only higher-ed institution that uses data classification to manage risk and security. Tom Davis, the chief security officer at Indiana University, has assigned members of his team to work with high-ranking individuals from each area of the institution who have responsibility for broad swathes of data. Their goal is to determine what standards and restrictions are required for different types of data, Davis says.
Likewise, Georgia State's Clark started focusing on data back in 2008. She says her team took a year working with so-called "data stewards" in each area to study which professionals needed access to what data and how much protection should be assigned to safeguard that data.
"We need to start thinking differently about what other things we can do to protect our data," Allen says. "For a long time, we were putting out fires, but what would be better is to find the combustible before it even starts to smolder."
That's a philosophy that applies not just to data classification but to universities' security efforts in general -- to stay out in front of the ever-changing landscape of threats.
"The people leading the way understand that it's not a single product" that will make their myriad systems secure, says Michael Maloof, CTO at TriGeo Network Security, a Post Falls, Idaho-based security software firm that counts institutions of higher education among its clients. "There's no one thing, no silver bullet. It's a layer of things, and it's an ongoing process."