Data Classification Policy
Purpose: The purpose of this policy is to establish a framework for classifying University data based on its level of sensitivity, value, and criticality to the University as required by the University’s Information Security Policy. The policy establishes four data classification levels and:
- Defines each classification level
- Broadly defines who has access to the data within each level
- Broadly establishes the requirements for data transmission for each level
- Defines the requirements for storing the data for each level
- Defines which levels require public notification in the event of an unauthorized disclosure
Classification of data will aid in determining baseline security controls for the protection of data.
Scope:
This policy applies to all faculty, staff, student workers, and third-party agents of the University as well as any other University affiliate who is authorized to access University Data. In particular, this policy applies to those who are responsible for classifying and protecting University Data.
Definitions:
Access - the privilege or assigned permission to use computer data or resources in some manner.
Data Classification - the process of organizing data by relevant categories to be used and protected more efficiently. É«ÖÐÉ«'s Data Classification Levels
Disclosure is also referred to as a Data Breach - a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.
Encryption - the process of encoding a message or information in such a way that only authorized parties can access it, and those who are not authorized cannot.
Encrypted connection - a data communication channel that has been encrypted, preventing anyone who may be able to intercept the transmission from reading the original message.
Notification - a public announcement, in writing, detailing that sensitive, personally identifiable information has been acquired or reasonably believed to have been acquired by an unauthorized person and is reasonably likely to harm the individuals to whom the information relates.
Storage - a resource that holds electronic data. Examples of storage include, but are not limited to:
- Cloud storage includes storage mediums owned and maintained by an entity other than É«ÖÐÉ« University and is accessed via the Internet.
- Network storage includes storage mediums owned and maintained by É«ÖÐÉ« University.
- Local storage includes internal hard drives associated with desktop and mobile devices.
- Removable storage includes CD/DVDs, removable USB drives, removable memory cards (SD, XD, compact flash, etc.).
Transmission - the transfer of data over a communications channel.
Policy
Classification Levels
All University Data is classified into one of four levels (Confidential, Sensitive, Private, Public) based on its content and the risks associated with disclosure. The classification level determines the security protections that must be used for the information. Classification is an ongoing process managed by data stewards, as defined in the Information Security Charter.
When combining information, the resulting data classification level must be re-evaluated independently of the source information’s classification to manage risks.
1. Confidential Data
|
Definition:
|
Confidential data is any information protected by international, federal, state, or local laws and regulations or industry standards, such as GLBA, GDPR, HIPAA, HITECH, HEOA, Pennsylvania's Breach of Personal Information Notification Act and similar state laws, and PCI-DSS. For purposes of this Policy and the other Information Security Policies, Confidential data includes, but is not limited to, the following, as detailed in the Data Classification Levels document:
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Gramm-Leach-Bliley Act (GLBA)
- Human Subjects Research
|
Access:
|
This information must be protected from unauthorized access.
Only the following approved entities, who need to know, will have access to this Confidential data.
- Specific University employees;
- Entities that have been bound by a contractual agreement to maintain the privacy of this Confidential data;
- Entities that have signed non-disclosure agreements;
- Government or law enforcement agencies as required by regulation or law;
- Accrediting bodies governing University programs.
External release of this Confidential data is only permitted:
- To the above listed approved entities, and;
- Only when approved by data stewards per the Data Governance Policy, or;
- When required by subpoena or warrant.
Access to Confidential data stored in a cloud environment requires multi-factor authentication.
Confidential data stored on internal University servers must be configured and secured using the operating system’s access control lists.
The unauthorized release of this type of data could result in disciplinary action, up to and including termination from University employment and criminal charges.
|
Transmission:
|
Confidential data must be transmitted using an encrypted connection.
Confidential data must:
- be transferred using a University-approved secure file transfer utility.
- not be sent by email.
|
Storage:
|
All Confidential University data has to be stored on É«ÖÐÉ«-approved resources, including both data stored on local devices and in the cloud.
Any University-owned desktop or mobile computers containing this type of data must be encrypted utilizing whole-disk encryption.
Confidential data stored on personally-owned computers, flash drives, cell phones, or any other external form of storage, must be encrypted.
|
Notification:
|
Unauthorized disclosure of confidential data triggers a notification.
|
2. Sensitive Data
|
Definition:
|
For purposes of this Policy and the other Information Security Policies, Sensitive data includes, but is not limited to the following, as detailed in the Data Classification Levels document:
- FERPA data
- University operational planning, technical operations, or operational security.
|
Access:
|
This information must be protected from unauthorized access.
Only the following approved entities, who have a need to know, will have access to this sensitive data.
- Specific University employees;
- Entities that have been bound by contractual agreement to maintain the privacy of this Sensitive data;
- Entities that have signed non-disclosure agreements;
- Government or law enforcement agencies as required by regulation or law;
- Accrediting bodies governing University programs.
External release of this Sensitive data is only permitted:
- To the above listed approved entities, and;
- Only when approved by data stewards per the Data Governance Policy, or;
- When required by subpoena or warrant.
Access to Sensitive data stored in a cloud environment requires multi-factor authentication.
Sensitive data stored on internal University servers must be configured and secured using the operating system’s access control lists.
The unauthorized release of this type of data could result in disciplinary action, up to and including termination from University employment and criminal charges.
|
Transmission:
|
Sensitive data must be transmitted using encrypted connections.
Sensitive data must:
- be transferred using a University-approved secure file transfer utility.
- not be sent by email to anyone outside of the University.
|
Storage:
|
All Sensitive University data must be stored on É«ÖÐÉ«-approved resources, including both data stored on local devices and in the cloud.
Any University-owned desktop or mobile computers containing Sensitive data must be encrypted utilizing whole-disk encryption.
Sensitive data stored on personally-owned computers, flash drives, cell phones, or any other external form of storage must be encrypted.
|
Notification:
|
Unauthorized disclosure of Sensitive data triggers a notification.
|
3. Private Data
|
Definition:
|
Private data is any information that is not protected as confidential or sensitive, or otherwise restricted by law or by contract but must be protected due to privacy, ethical, or proprietary constraints. Private data is information that meets the definitions of the preceding sentence and is deemed by the University not to be appropriate for public disclosure.
By default, all University data that is not explicitly classified as confidential, sensitive, or public (defined below) data is classified as private data.
|
Access:
|
This information must be protected from unauthorized access.
Only the following approved entities, who need to know, will have access to this private data.
- Specific University employees;
- Entities that have been bound by a contractual agreement to maintain the privacy of this private data;
- Entities that have signed non-disclosure agreements;
- Government or law enforcement agencies as required by regulation or law;
- Accrediting bodies governing University programs.
External release of this private data is only permitted:
- To the above listed approved entities, and;
- Only when approved by data stewards per the Data Governance Policy, or;
- When required by subpoena or warrant.
Access to private data stored in a cloud environment requires multi-factor authentication.
Private data stored on internal University servers must be configured and secured using the operating system’s access control lists.
The unauthorized release of this type of data could result in disciplinary action, up to and including termination from University employment and criminal charges.
|
Notification:
|
Unauthorized disclosure of Private data is not notice-triggering.
|
Transmission:
|
Private data must be transmitted using encrypted connections.
Private data must:
- be transferred using a University-approved secure file transfer utility.
- not be sent by email to anyone outside of the University.
|
Storage:
|
All Private University data has to be stored on É«ÖÐÉ«-approved resources, including data stored on local devices and in the cloud.
Any University-owned desktop or mobile computers containing Private data should be encrypted utilizing whole-disk encryption.
Private data stored on personally-owned computers, flash drives, cell phones, or any other external form of storage, should be encrypted.
|
4. Public Data
|
Definition:
|
Any information that is made available to the general public, with no legal restrictions on its access or use.
|
Access:
|
Access to published Public data is available with no further restrictions.
Access to unpublished Public data may be granted at the discretion of the responsible department or data steward.
|
Notification:
|
Unauthorized disclosure of Public data is not notice-triggering.
|
Transmission:
|
There are no restrictions on the transmission of Public data. Public data may be sent by email to anyone outside of É«ÖÐÉ« University without the use of encryption. However, it is prudent to use encryption whenever transmitting Public data.
|
Storage:
|
Due to its public nature and wide availability, Public University data may be stored at the discretion of the data host or data user.
|
Reviewed Date:
October 2020
Approved By/Date:
Approved Dec 1, 2020 by the President’s Council
Reference Documents
Data Classification Levels
Human Subjects
Data Governance Program *Coming soon