Open joachimweyl opened 1 year ago
We don't think this information is actually a security risk. the architectural details are the point- one of the goals of this project is to expose the architectural details so that this may be understood and other sites may reproduce.
"Level 3" is really restrictive - https://security.harvard.edu/data-classification-table if any of our stuff gets classified at that level we're probably screwed - this definitely needs to be appealed. Among other things, it would seriously limit the ability for non-Harvard employees to access the information, and would prevent it from being used in published research papers.
Scott and Wayne to discuss tuesday having Scott/Wayne present to security team with context.
sent email to scott and wayne asking for an update.
While we do not believe that sharing this information publicly is an security risk we would like to better understand why Harvard feels it is.
The value of the data is in the relationships so if the data is to be obscured the relationships should be maintained; we believe doing so is going to be pretty diffic
With Scott and Wayne, they are out for next 3 weeks. I am moving to April Sprint. This is tracking for others work.
Feedback from Scott - ignoring this for now.
Next Steps
Harvard Data Security Level 3
Link to Harvard Data Security Level-3
Links shared with Havard Data Security:
Nathan Hall's response:
"Hi Justin,
Much of that would be considered Level 3 data (specifically non-security technical specifications/architecture schema). Repositories with this level of detail about Harvard systems should not be public. Obfuscated/generalized specifications or reference architecture could be shared in public repos.
Nathan"