Purpose
Scope
| Anchor | ||||
|---|---|---|---|---|
|
Institutional Data Classification Levels
Classification of Institutional Data
Rubrics for Classification
Predefined Types of Restricted Data
Related state or federal privacy regulations
Related Policies and Guidelines
Data Handling Recommendations
...
The purpose of this policy is to define a framework for classifying and handling Institutional Data based on its level of sensitivity, value and criticality to the University.
Data classification, in the context of information security, is the classification of data based on its impact to the University should that data be disclosed, altered or destroyed without authorization. Classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
...
This Policy applies to all employees and third-party Agents of the University as well as any other University affiliates who access, process, or store Institutional Data.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
Classification Process (major examples – not an exhaustive list)
Classification of Institutional Data |
|
Institutional Data Type | Specific Data Governor(s) |
Student records | Registrar, Student Affairs, Financial Aid, International Programs |
Student Health records | Student Affairs (Student Health), Student Disability Services Coordinator |
Employee records (including faculty members, staff members, affiliates, retirees, and applicants) | Office of Human Resources, Office of Academic Affairs |
Prospective Student records | Admission, Financial Aid, Student Disability Services Coordinator |
Alumni and other persons included in Advancement records | Advancement, Alumni Affairs |
Financial and Business records | Finance & Administration |
Academic Intellectual Property (including faculty and student work) | Academic Affairs, Registrar |
Academic and Course records (including course assessments, learning management system content and tracking, etc.) | Academic Affairs |
University Website (valpo.edu) | Integrated Marketing & Communications |
Institutional Research and Survey data | Institutional Effectiveness |
Library records | Library Services |
Table 1 |
|
Classification of Institutional Data is performed by an appropriate University Data Steward in cooperation with Information Services and related Data Governors.
A Data Governor is the relevant office that is responsible for the accuracy, integrity, and timeliness of certain data, and that has authority to grant or deny permission to access to that data.
A Data Steward is an employee of the University assigned by the relevant Data Governor to oversee the lifecycle of one or more sets of Institutional Data.
On a regular basis, the Data Steward will evaluate the classification of Institutional Data to ensure the assigned classification is appropriate based on changes to legal and contractual obligations or changes in the use of the data or its value to the University. Conducting an evaluation on at least an annual basis is encouraged.
If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.
In general, University information is managed according to protocols defined by the following offices:
Management of University Information |
|
University Information | Managing Office |
Students | Registrar or Student Affairs |
Faculty members | Academic Affairs |
Staff members, affiliates, and retirees | Human Resources |
Parents of current students | Student Affairs |
Prospective students and parents | Admission and Financial Aid |
Alumni and other persons included in Advancement records | Advancement and Alumni Affairs |
Financial and Business records | Finance & Administration |
Table 2 |
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
In some cases, appropriate data classification is guided by state or federal laws that require the University to protect certain types of data (e.g., personally identifiable information such as a social security number or FERPA-protected student education records). In other cases, Data Stewards will consider each security objective using Table 3 as a guide.
As the total potential impact to the University increases from Low to High, the classification of data should become more restrictive moving from Public to Restricted.
| POTENTIAL IMPACT |
|
|
Security Objective | LOW | MODERATE | HIGH |
AvailabilityEnsuring timely and reliable access to and use of information. | The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. | The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. | The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Table 3* |
|
|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- Information Security Policy To be drafted
- Student Records Policy (FERPA) http://www.valpo.edu/generalcounsel/assets/docs/Ferpa.pdf
- HIPAA Policy http://www.valpo.edu/generalcounsel/assets/docs/hipaa%20vu%20policy%20notice.pdf
- Record Retention and Document Destruction Policy http://www.valpo.edu/generalcounsel/assets/docs/Records%20Retention%20Schedule.pdf
- Federal Information Processing Standards Publication 199: Standards for Security Categorizationhttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Internal Revenue Service Publication 1075: Tax Information Security Guidelines http://www.irs.gov/pub/irs-pdf/p1075.pdfh1.
Anchor _Toc291425064 _Toc291425064
Data Handling RecommendationsAnchor _Toc294260381 _Toc294260381
The following table outlines recommended safeguards for protecting data and data collections based on their classification. In addition to the following data security guidelines, any data covered by federal or state laws or regulations or contractual agreements should meet the security requirements defined by those laws, regulations, or contracts.Security Control Category
Data Classification
Public
Private
Restricted
Access Controls
(Who has privileges to access information; technical controls for access)No restriction for viewing.
Authorization by Data Governor is required for access to modify.
Authentication is required for access to modify.Access to view or modify is restricted to authorized individuals as needed for business-related roles.
Authorization by Data Governor is required for access.
Authentication is required for access. Multi-factor authentication is recommended.
Remote access by third party for technical support is limited to authenticated, temporary access via direct connection or secure protocols over the Internet with continuous oversight by authorized University Personnel.
Network access via local network or VPN is recommended.Access to view or modify is restricted to authorized individuals as needed for business-related roles.
Authorization by Data Governor is required for access.
Authentication is required for access. Multi-factor authentication is recommended.
Confidentiality agreement is required.
Remote access by third party for technical support is limited to authenticated, temporary access via direct connection or secure protocols over the Internet with continuous oversight by authorized University Personnel.
Network access via local network or VPN is required.Copying/Printing/Transmission
(Applies to both paper and electronic format)No restrictions.
Copies should be limited to individuals with a need to know.
Copies should not be left unattended on a printer/fax.
Copies can be sent via Campus Mail or University email system.
Digital encryption is recommended (e.g., via SSL or secure file transfer protocols).Copies should be limited to individuals authorized to access the data and who have signed a confidentiality agreement.
Copies should not be left unattended on a printer/fax.
Digital encryption is recommended (e.g., via SSL or secure file transfer protocols). Should not transmit via e-mail unless encrypted and secured with a digital signature.Network Security
(The network to which the system hosting or managing the data is directly connected.)
May reside on a public or unsecure network.
Protection with a firewall is recommended.
Protection only with router access control lists (ACLs) acceptable.
IDS/IPS (intrusion detection system / intrusion prevention system) protection is recommended.Protection with a network firewall is required.
Protection with router ACLs is recommended.
System or server hosting the data should not be visible to entire Internet.
IDS/IPS protection is recommended.Protection with a network firewall is required.
Protection with router ACLs is recommended.
System or server hosting the data must not be visible to the entire Internet nor to unauthorized subnets.
IDS/IPS protection is recommended.System Security
(The system that hosts or manages access to the data. Applies to both centrally-managed and end-user devices)Should follow general best practices for system management and security.
Host-based software firewall is recommended.Must follow University-specific and OS-specific best practices for system management and security.
Protection with a firewall is recommended.
IDS/IPS protection is recommended.
Use of system managed in University Data Center or University-approved Cloud Provider is recommended.Must follow University-specific and OS-specific best practices for system management and security.
Protection with a firewall is required.
IDS/IPS protection is recommended.
Use of system managed in University Data Center or University-approved Cloud Provider is required.Physical Security
(Physical security of area where the system hosting or managing access to the data is located)System or location should be locked or system logged out when unattended.
System should be locked or logged out when unattended.
Located in a secure locked location is recommended; the University Data Center or University-approved Cloud Provider is recommended.System must be locked or logged out when unattended.
Located in a secure locked location is required; the University Data Center or University-approved Cloud Provider is required.Data Storage
No restrictions.Storage on a secure server is recommended.
Storage in University Data Center or University-approved Cloud Provider is recommended.
If data stored on individual workstation or mobile device, encryption is recommended.Storage on a secure server is recommended.
Storage in University Data Center or University-approved Cloud Provider is recommended.
If data stored on individual workstation or mobile device, encryption is required.Backup/Disaster Recovery
Regular data backup is recommended.
Daily backup is recommended.
Off-site storage is recommended.
Encryption on backup media is recommended.Daily backup is required.
Off-site storage in a secure location is required.
Encryption on backup media is recommended.Media Sanitization and Disposal
(Hard drives, CDs, DVDs, tapes, paper, etc.)No restrictions.
Shred reports; destroy electronic media.
Shred reports.
Destroy or overwrite electronic media.Security Awareness Training
General security awareness training is recommended.
General security awareness training is required.
Data security training is required.General security awareness training is required.
Data security training is required.
Applicable policy and regulation training is required.Workstations and Mobile Devices
(E.g., individual workstations, laptop computers, tablets, smartphones, or similar devices)Password protection is recommended; workstation inactivity auto-lock is recommended.
Password protection is recommended; workstation inactivity auto-lock is recommended.
Encryption is recommended when data stored on device.Password protection is required; workstation inactivity auto-lock is required.
Encryption is required when data stored on device.Definitions
University-approved Cloud Provider – An externally hosted service or system that has been designated by the University as appropriate for specific data storage or management functionalities. Examples include Google Apps for Education, iModules (Alumni portal), SchoolDude (Facilities Management), Handshake, EMS, among others. These services have been vetted and contracted (typically) by the University to meet specific information security and data handling standards as appropriate to the type of information processing performed by each system.