Data Classification Procedures
The purpose of this procedure is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University. Classification of data will aid in determining baseline security controls for the protection of data.
These procedures apply to all employees who are responsible for classifying and protecting Institutional Data.
Confidential Data is a generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with sensitive data.
A Data Steward is a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data.
Institutional Data is defined as all data owned or licensed by the University.
Non-public Information is defined as any information that is classified as private or Restricted Information according to the data classification scheme defined in this Guideline.
Sensitive Data is a generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with confidential data.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:
A. Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.
B. Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.
C. Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
An appropriate Data Steward should perform classification of data. Data Stewards are senior-level employees of the University who oversee the lifecycle of one or more sets of Institutional Data.
Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student’s name, address and social security number, the data collection should be classified as Restricted even though the student’s name and address may be considered Public information.
On a periodic basis, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. The appropriate Data Steward should conduct this evaluation. Conducting an evaluation on an annual basis is encouraged; however, the Data Steward should determine what frequency is most appropriate based on available resources. If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.
Data Storage and Distribution
Acceptable methods for storing and/or distributing University data in an electronic format are determined according to the classification of the data. The appropriate resources that can be used are defined as follows:
A. Restricted Data
- Banner Administrative System is the preferred location for storing Restricted data
- The “S:” drive which is a network drive on a secure server with restricted access
- University owned laptops with supported full disk encryption software. In accordance with “Management of Personal Information On External Devices,” Restricted information should reside on unencrypted laptops no longer than required, for only brief periods of less than a day. Restricted Information should be wiped off laptops as soon as it isn't required.
B. Private Data
- Any methods used for “Restricted Data”
- The “U:” drive, which is a network drive on a shared server used by all users
- University email accounts “Inboxes” or “Personal Folders” which require University domain account authorization to access the email messages
- Local hard drives on your University owned workstations or laptop
- Mobile devices such as cell phones, tablets and portable storage devices
- University web sites, which require University domain, account authorization to access the web site content
C. Public Data
- Any methods used for “Restricted Data” and “Private Data”.
- Local hard drives on your personally owned workstations or laptops
- University or personal web sites accessible to the public
Appendix A – Predefined Types of Restricted Information
The following categories are classified as Restricted Data based on state and federal regulatory requirements. They are defined as follows:
An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared amongst a small group of individuals. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:
- Shared secrets
- Cryptographic private keys
Covered Financial Information
As defined by the Gramm-Leach-Bliley act.
Electronic Protected Health Information (“EPHI”)
EPHI is defined as any Protected Health Information (“PHI”) that is stored in or transmitted by electronic media. For the purpose of this definition, electronic media includes:
- Electronic storage media includes computer hard drives and any removable and/or transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.
Transmission media used to exchange information already in electronic storage media.
- Transmission media used to exchange information already in electronic storage media. Transmission media includes, for example, the Internet, an extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks and the physical movement of removable and/or transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exists in electronic form before the transmission.
Export Controlled Materials
Export Controlled Materials is defined as any information or materials that are subject to United States export control regulations including, but not limited to, the Export Administration Regulations (“EAR”) published by the U.S. Department of Commerce and the International Traffic in Arms Regulations (“ITAR”) published by the U.S. Department of State. See the Information and Guidelines on Federal Export Control Laws and Regulations, published by the Office of Sponsored Programs, for more information.
Federal Tax Information (“FTI”)
FTI is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services. See Internal Revenue Service Publication 1075 Exhibit 2 for more information.
Payment Card Information
Payment card information is heavily regulated by PCI DSS and should not be stored on any electronic media, without written permission from ITS.
Personally Identifiable Education Records
Personally Identifiable Education Records are defined as any Education Records that contain one or more of the following personal identifiers:
- Name of the student
- Name of the student’s parent(s) or other family member(s)
- Social security number
- Student number
- A list of personal characteristics that would make the student’s identity easily traceable
- Any other information or identifier that would make the student’s identity easily traceable
Personally Identifiable Information (“PII”)For the purpose of meeting state security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
- Social security number
- State-issued identification card number
- Financial account number in combination with a security code, access code or password that would permit access to the account
- Medical and/or health insurance information