Effective March 30, 2020
1.0 Purpose
The purpose of this policy is to define the data classification requirements for information assets in electronic format and to ensure that data is secured and handled according to its sensitivity and the impact that theft, corruption, loss or exposure would have on the institution.
This policy has been developed to assist Union College and provide direction to the institution regarding identification, classification and handling of information assets.
2.0 Definitions
Data: Information in a specific representation, usually as a sequence of symbols that have meaning.
Data Asset: Any entity that is comprised of data. The terms “information asset” and “data asset” are used interchangeably throughout this document.
Source: Committee on National Security Systems Instruction No. 4009 (CNSSI-4009)
3.0 Scope
The scope of this policy includes all information assets governed by Union College. All personnel and third parties who have access to or utilize assets to process, store and/or transmit information for or on the behalf of Union College shall be subject to these requirements. This policy does not apply to:
- Personal information,
- Faculty Research, or
- Teaching materials.
4.0 Policy
Union College has established the following requirements enumerated below regarding the classification of data to protect the institution’s information:
4.1 Data Ownership and Accountability
Data owners are identified as the individuals, roles or committees primarily responsible for information assets. These individuals are responsible for:
- Identifying the organization’s information assets under their areas of supervision; and
- Maintaining an accurate and complete inventory for data classification and handling purposes.
Data owners are accountable for ensuring that their information assets receive an initial classification upon creation and a re-classification whenever reasonable. Re-classification of an information asset should be performed by the asset owners whenever the asset is significantly modified. Additionally, data owners are also responsible for reporting deficiencies in security controls to management.
4.2 Data Classification
Classification of data will be performed by the data asset owner based on specific, finite criteria. Refer to the Data Classification and Handling Procedure to determine how data should be classified. Data classifications will be defined as follows:
- HIGH RISK - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial or reputational harm to the institution, institution staff or the community we serve. Federal or state breach notification would be required, identity or financial fraud, extreme revenue loss, or the unavailability of extremely critical systems or services would occur. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, financial aid data covered under Title IV of the Higher Education Act (as amended) and Gramm-Leach-Bliley Act (15 U.S. Code § 6801), social security number, banking and health information, payment card information and information systems’ authentication data.
- MEDIUM RISK – Information whose loss, corruption, or unauthorized disclosure would likely cause limited personal, financial or reputational harm to the institution, institution staff or the community we serve. Federal or state breach notification would not be required, limited identity theft and very little revenue loss would occur, and the availability of critical systems would not be affected. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, some data elements found in HR employment records, and passport and visa numbers.
- LOW RISK – Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial or reputational harm to the institution, institution staff or the community we serve. Common examples include, but are not limited sales and marketing strategies, promotional information, and policies.
4.3 DIRECTORY INFORMATION
4.3.1 Academic Personnel and Staff Directory Information
Academic Personnel and Staff Directory Information is defined as the following:
- Full Name
- Title
- Department
- Office location
- Room
- Phone Extension
- Email address
4.3.2 Student Directory Information
Student Directory Information is defined as the following:
- Name of student
- Telephone number
- Email address
- Class level
- Dates of attendance
- Major field of study
- Number of course units in which student is enrolled
- Degrees and honors received
- Last school attended
- Participation in official student activities
- For intercollegiate athletic team members only:
- Height
- Weight
4.4 Data Handling
Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods must be described in the Data Classification and Handling Procedure.
4.5 Re-Classification
A re-evaluation of classified data assets will be performed at least once per year by the responsible data owners. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.
4.6 Classification Inheritance
Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.
5.0 Enforcement
Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of institution or other computing resources or to protect the institution from liability.
6.0 Exceptions
Exceptions to this policy must be approved in advance by the Chief Information Officer, at the request of the responsible data asset owner. Approved exceptions must be reviewed and re-approved annually.
7.0 References
- Americans with Disabilities Act of 2990
- Children’s Online Privacy Protection Act of 1998 (COPPA)
- Electronic Communications Privacy Act
- Fair Credit Reporting Act (FCRA)
- Fair and Accurate Credit Transaction Act (FACTA)
- Federal Information Processing Standard Publication 199 (FIPS-199)
- Federal Information Security Management Act (FISMA)
- Freedom of Information Act
- Gramm-Leach-Bliley Act (15 U.S. Code § 6801)
- HIPAA
- NIST Special Publication 800-53 r4
- Title IV of the Higher Education Act (as amended)
Supporting Documents
- Data Handling and Procedures - web or pdf (login required)
- Bring Your Own Device (BYOD) Attestation
- Data Classification Training (login required)
- Information on how to protect and encrypt files and sensitive data
- FERPA Presentation (February 2018)
- Policy on Indemnification of Employees FAQs (February 2018)