Information Services Digital Data Classification Policy

1. Purpose
Information technology and data constitute valuable 糖心TV assets. The purpose of data classification is to identify college data and it鈥檚 sensitivity. In order to protect the security, confidentiality and integrity of 糖心TV data from unauthorized access, modification, disclosure, transmission or destruction, as well as to comply with applicable state and federal laws and regulations, all of 糖心TVs data is classified within security levels, with regulations on the usage, storage, disposal and access of data at different levels.

2.  Scope

Any 糖心TV data residing on college-owned or personal laptops, desktops, servers, handheld devices, external drive, mobile device, USB drive, etc.  It is the responsibility of the data owner to designate and label data classification for information owned, used, created or maintained under their responsibility. 

3.  Definitions and Authority

鈥淐ritical data elements鈥 are defined as 鈥渢he data that is critical to success鈥 in a specific campus business area, or 鈥渢he data required to get the job done.鈥 Data elements are data attributes used in running the college business. Note that data that is critical in one business area may not be critical in another.

鈥凄补迟补鈥 is defined as information processed or stored by a computer. This information may be in the form of text documents (electronic or printed), images, audio clips, software programs, or other types of data.

鈥淒ata dictionary鈥 describes the meaning of a data element, i.e., metadata. Data element definitions are critical for external users of any data system.

鈥淒ata Owner鈥 are college officials who have direct operational-level responsibility for the management of one or more types of institutional data.  The delegation of this authority and responsibility is assigned by a Sr. Administrator and are generally deans, directors or managers. 

鈥淒ata Custodian鈥  - An individual who has been authorized to be in physical or logical possession of data by the Data Owner. 

鈥淒ata Stewardship Committee鈥 is a planning, procedures and oversight committee composed of campus Data Owners.  They discuss, propose, advocate and review policies and standards surrounding the classification, access and use of data.

鈥淒ata User鈥 are college departments or individuals who have been granted access to institutional data in order to perform their assigned duties.

鈥淧ersonally Identifiable Information (PII)鈥  is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

4.  Data Classifications

College data is organized into three classifications:  Public, Internal and Restricted. Each level or class of data has its own requirements with respect to safeguards as well as procedures in the event of inappropriate disclosure

Public - low level of sensitivity

Public data is information that may be disclosed to any person regardless of their affiliation with the College.   This data may be publicly accessible but does not require public access. This classification applies to data that does not require any level of protection from disclosure. Example of Public data include:

a. Content and images on 糖心TV鈥檚 public web sites and social media (i.e. )

b. Publicly released press statements and marketing materials.

c. External directory information for faculty and staff, unless otherwise restricted. This includes name, title, department, mailing address and 糖心TV email address.

d. Campus events open to the public.

Internal - moderate level of sensitivity

This includes information that requires protection from unauthorized use, disclosure, modification, or destruction. Internal data is not necessarily protected by state or federal law or regulatory standards, but which is potentially sensitive and not intended to be shared with the public. The distribution of Internal data is limited by intention of the author, owner, or administrator.  Internal information should not be disclosed outside of the college without the permission of the data owner or group that created it. 

Examples of Internal data include:

a. Student ID number, Network Account Credentials, Budget Information, Research and Manuscripts, Payroll and Employment Documentation, Donation/Giving History, Systems & Network Diagrams, Strategic Information unique to 糖心TV.

b. Data related to 糖心TV operations, finances, audits, or other activities that are not public in nature. 

c. Personal directory or professional employment information for students, alumni or donors. This includes name, business name, business address, home address, email, cell phone numbers, business phone numbers, home phone numbers, occupations and titles.

d. Personal directory information for faculty and staff. This may include home address, cell phone, home phone, home fax and personal email.

e. Personal characteristics such as gender, sex, height, weight, marital status, nationality, personal interests, photographs and names of children and other demographic information for students, faculty and staff.

f. 糖心TV Network Diagrams which display IP Addresses.

g. Student directory information may be disclosed if deemed appropriate by the FERPA body (registrar鈥檚 office).  For example, Dean鈥檚 list.

Restricted - confidential and highest level of sensitivity

This includes data protected by state or federal law, contractual agreements and proprietary information against unauthorized use, disclosure, modification and destruction. Highly confidential, restricted data shall be stored on institutionally supported applications residing in the 糖心TV Data Centers, but not in Word, Excel or Access (with the exception of information required for critical business purposes and stored in an approved, secure area). Access to Restricted electronic data shall only be gained through authenticated access on the College network or Virtual Private Network (VPN) access.

Hard copy Restricted data shall be stored in locked receptacles and rooms. Hard copy data shall only be accessed when business requires such use and all storage receptacles and rooms shall be appropriately designed to allow for authorized access only.

Examples of Restricted data include, without limitation, the following:

a. Student records, including date of birth, Social Security Number, Driver鈥檚 License Number, Passport ID Number, health information, place of birth, mother鈥檚 maiden name, official grades and transcripts recorded on a student鈥檚 permanent record, academic information, academic actions, class schedules,  race, judicial information and other information relative to a student鈥檚 permanent record (e.g., official grades, judicial records).  

See FERPA Policy.

B.  Any information, including student or employment status, for any student or employee who has requested a 鈥淐ONFIDENTIAL鈥 status with the Registrar鈥檚 Office or Human Resources.  These individuals are flagged as 鈥渃onfidential鈥 in enterprise systems.

b. Human Resources data including employment records, salary, benefits, social security number,  driver鈥檚 license and passport ID numbers, personnel evaluations, date of birth, place of birth, mother鈥檚 maiden name, home address, race and other records pertaining to personnel files (e.g.,  payroll reports, yearly salary increase data).

c. Academic Affairs information relating to non-public research and promotion and tenure files (including  notes relating to tenure decisions).

d. Alumni or donor information, including date of birth, place of birth, mother鈥檚 maiden name, donation amount and assets (e.g., Daily Giving Reports, Donor Profiles).

e. Corporate records including Board of Trustee minutes, Board of Trustee votes and other confidential information dispersed at Board meetings and/or shared with Board members.

f. Sensitive Personal Information including credit checks, criminal background checks, visa numbers, sexual behavior and criminal convictions (e.g., CORI/SORI reports).

g. Information security data, including passwords, and other data associated with security-related incidents occurring at the College.

h. Research data involving human subjects that are subject to the Common Rule (Federal Policy for the Protection of Human Subjects, 46 CFR 101 et seq).

 

Notification Requirements:

Restricted data includes data that is highly confidential and requires notification to subjects and various state, federal and nation-state entities if breached.

Restricted data requiring notification if breached includes: A person's first and last name, or first initial and last name in combination with any one or more of the following data elements relating to that person:

a. Social Security Number;

b. Driver's License Number or state-issued identification card number, including passports;

c. Financial account number (bank, investment, 403B), or credit or debit card number;

d. Health care information, including patient billing or medical records, information about physical or psychological state of health, counseling records, disease, medical history, medical treatment, drugs, therapies, genetic test results, family health or morbidity history;

e. Biometric data including fingerprints, voice prints, retina image, iris image, or other unique physical representation, with the exception of the fingerprints associated with individual fingerprint readers used for securing laptop or desktop computers.

Other data elements that can be associated with an individual (PII), particularly when used in various combinations with regulated data elements, may be treated as Restricted Data, depending on the usage. When assessing data, each data set must be analyzed to determine if any given combination poses a security risk.

 5.  Data Security Guidelines

Security Protection
Public Data
Internal Data
Restricted Data
Guideline(s)
Security Control
DATA CLASSIFICATION
 
 
 
Know the classification of the data you are working with so you can ensure that appropriate data security precautions are employed
Reference the Data Classification Policy to Reference the Data Classification Policy to determine the class of the data you are working with.
Access Controls
 
 
 
Electronic and physical access controls ensure that only authorized individuals can access the data.
The College Identity and Access Management system and application passwords are used to control access to view Internal and Restricted data.
Data Encryption
 
 
 
Encrypt data using college designated tools and technology. Keep encryption keys separate from the systems that contain the data.
Desktops are encrypted with Bitlocker for PC鈥檚 and Filevault for Macs. Certificate Authorities protect transmission of data and system backups are stored encrypted
Security Monitoring
 
 
 
Conduct security operations processes to monitor for unauthorized access attempts. Automated access log report.
Security information and event management log and vulnerability scanning are performed by a third party. FireEye technology is used to detect Zero day and Fortinet鈥檚 protect the perimeter.



6.  Data Storage and Disposal Guidelines

Location
Data Classification
Data Disposal
On-campus secured network storage (e.g., shared department drives, dedicated secure servers)
Safe for Restricted, Internal and Public data
Electronic internal data can be destroyed using traditional application delete functionality.
Third-party hosted Applications
Third Party hosted applications that store Internal and Restricted data must meet 糖心TV鈥檚 Third Party Software as a Service (SaaS) risk standards.
Archival and removal processes are pre-established at the time of the SaaS agreement.
College-owned computer hard drive (i.e., laptop, tablet, desktop)
Safe for Internal and Public data. Use for Restricted data must be cleared with Data Owner and data must be encrypted.
Drives must be erased in compliance with 
糖心TV Gmail, including attachments
Safe for Internal and Public data; NOT safe for Restricted Data
Gmail can be deleted and will be removed from Trash after 30 days.
糖心TV Google Drive and Team Drives
Safe for Restricted Data, Internal and Public data. Must be labeled for classification.
Drive file ownership can be transferred to supervisors or new hires
Portable device storage (e.g., smart phone, tablet, laptop, USB drive)
Safe for Internal and Public data Use for Restricted Data must be cleared with Data Owner and data security features enabled.
Portable data drives used for this purpose must be erased using 
Hard Copies
Internal and Restricted data shall be maintained in as few receptacles and rooms as business dictates. Copies of this data shall not generally be made unless business requires it.
Required to dispose of in Shred container systems located in offices around campus.

Electronic Data Transmittal

If Internal or Restricted data is transmitted on a recurring basis to external vendors, it must be sent through secure transmissions such as secure FTP (SFTP).

All departments shall have policies in place and periodically review electronic storage areas and their hard copy storage areas to insure that data is being destroyed in a timely and effective manner.

6.  Non-Compliance

6.1 Compliance Measurement

The ETS/Information Services will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, application tools reports, internal and external audits, and feedback.

6.2  Exceptions
Any exception to the policy must be approved by the Information Security Office in advance and documented in accordance with the Information Security Exceptions Tracking procedure.

6.3  Non-Compliance
Non-compliance of this policy and procedures, may result in disciplinary action, following the usual disciplinary processes of the College for faculty and staff.  The Vice President of the Administration Division will determine whether to initiate the disciplinary process.

 

References:

Confidential-restricted data access flow

Information Services Litigation Hold Policy

Records Management Program and Policy

FERPA Policy

Data Classification Identification and Labeling Procedure (to be written)

** Approval Date: This policy was approved on May 14, 2019.