Purpose
Scope
Anchor | ||||
---|---|---|---|---|
|
Institutional Data Classification Levels
Classification of Institutional Data
Rubrics for Classification
Predefined Types of Restricted Data
Related state or federal privacy regulations
Related Policies and Guidelines
Data Handling Recommendations
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The purpose of this policy is to define a framework for classifying and handling Institutional Data based on its level of sensitivity, value and criticality to the University.
Data classification, in the context of information security, is the classification of data based on its impact to the University should that data be disclosed, altered or destroyed without authorization. Classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
This Policy applies to all employees and third-party Agents of the University as well as any other University affiliates who access, process, or store Institutional Data.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Institutional Data is any data related to the business of the University including, but not limited to, financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the department level as well as centrally, regardless of the media or system on which they reside. In the case of data in digital format, Institutional Data includes records that are stored in on-premise University data systems as well as systems provided by means of Internet-hosted service providers (i.e., "Cloud" hosted systems or applications). All institutional data must be maintained on University-approved systems (storage of Institutional data in any personal accounts, such as personal Dropbox accounts or personal Google accounts, among others, is prohibited).
All Institutional Data is classified into one of three classifications: Restricted, Private, or Public.
A. Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.
Confidential Data / Sensitive Data are generalized terms that typically represent data classified as Restricted, according to the data classification scheme defined in this Guideline. These terms are often used interchangeably.
B. Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.
C. Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
Non-public Information is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline.
Data Collections
Anchor | ||||
---|---|---|---|---|
|
Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student's name, address and social security number, the data collection should be classified as Restricted even though the student's name and address may be considered Public information. Authorization for access to a data collection is governed by its most restrictive data field. When retrieval of restricted data is required by a third party, it will authorized only by order of the General Counsel.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Classification Process (major examples – not an exhaustive list)
Classification of Institutional Data |
|
Institutional Data Type | Specific Data Governor(s) |
Student records | Registrar, Student Affairs, Financial Aid, International Programs |
Student Health records | Student Affairs (Student Health), Student Disability Services Coordinator |
Employee records (including faculty members, staff members, affiliates, retirees, and applicants) | Office of Human Resources, Office of Academic Affairs |
Prospective Student records | Admission, Financial Aid, Student Disability Services Coordinator |
Alumni and other persons included in Advancement records | Advancement, Alumni Affairs |
Financial and Business records | Finance & Administration |
Academic Intellectual Property (including faculty and student work) | Academic Affairs, Registrar |
Academic and Course records (including course assessments, learning management system content and tracking, etc.) | Academic Affairs |
University Website (valpo.edu) | Integrated Marketing & Communications |
Institutional Research and Survey data | Institutional Effectiveness |
Library records | Library Services |
Table 1 |
|
...
Management of University Information |
|
University Information | Managing Office |
Students | Registrar or Student Affairs |
Faculty members | Academic Affairs |
Staff members, affiliates, and retirees | Human Resources |
Parents of current students | Student Affairs |
Prospective students and parents | Admission and Financial Aid |
Alumni and other persons included in Advancement records | Advancement and Alumni Affairs |
Financial and Business records | Finance & Administration |
Table 2 |
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
In some cases, appropriate data classification is guided by state or federal laws that require the University to protect certain types of data (e.g., personally identifiable information such as a social security number or FERPA-protected student education records). In other cases, Data Stewards will consider each security objective using Table 3 as a guide.
As the total potential impact to the University increases from Low to High, the classification of data should become more restrictive moving from Public to Restricted.
| POTENTIAL IMPACT |
|
|
Security Objective | LOW | MODERATE | HIGH |
AvailabilityEnsuring timely and reliable access to and use of information. | The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. | The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. | The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Table 3* |
|
|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The University has defined several types of Restricted Data based on state and federal regulatory requirements. These are defined as follows:
Authentication Verifier
An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared among a small group of individuals. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:
- Passwords
- Shared secrets
- Cryptographic private keys
Personally Identifiable Information ("PII")
For the purpose of meeting security breach notification requirements, PII is defined as a person's first name or first initial and last name in combination with one or more of the following data elements:
- Social Security number
- State-issued driver's license number
- State-issued identification card number
- Date of birth
- Financial account number in combination with a security code, access code or password that would permit access to the account.
- Medical and/or health insurance information
Personally Identifiable Education Records – Covered under FERPA
Personally Identifiable Education Records are defined as any Education Records that contain one or more of the following personal identifiers:
...
Note: The University classifies directory information that is generally considered to be public information as Public. See Valparaiso University's Student Records Policy (FERPA) (http://www.valpo.edu/generalcounsel/assets/docs/Ferpa.pdf) for more information on this directory information and on what constitutes an Education Record.
Payment Card Information
Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
- Cardholder name
- Service code
- Expiration date
- CVC2, CVV2 or CID value
- PIN or PIN block
- Contents of a credit card's magnetic stripe
Federal Tax Information ("FTI")
Federal Tax Information (FTI) is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services. See "Internal Revenue Service Publication 1075: Tax Information Security Guidelines" (http://www.irs.gov/pub/irs-pdf/p1075.pdf) under for more information.
Protected Health Information ("PHI")
Protected Health Information ("PHI") is individually identifiable health information, including demographic information, collected from an individual or created or received by a health care provider, a health care clearinghouse, a health plan, or Valparaiso University on behalf of a group health plan, which relates to:
...
The list of accessible documents (above) may vary based on the situation and necessary involvement of the Human Resources Office. Full details are outlined in the University HIPAA Policy (http://www.valpo.edu/generalcounsel/assets/docs/hipaa%20vu%20policy%20notice.pdf).
Anchor | ||||
---|---|---|---|---|
|
Laws that influence and affect these guidelines include but are not limited to:
- Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) http://www.cleryact.info
- Children's Online Privacy Protection Rule (COPPA) https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
* The Digital Millennium Copyright Act (DMCA)http://www.copyright.gov/legislation/dmca.pdf? - Electronic Communications Privacy Act of 1986 (ECPA)https://it.ojp.gov/default.aspx?area=privacy&page=1285
- Family Educational Rights and Privacy Act (FERPA) http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- Higher Education Opportunity Act (HEOA) http://www2.ed.gov/policy/highered/leg/hea08
- Gramm-Leach-Bliley Act - Privacy of Consumer Financial Information (GLBA)https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/privacy-consumer-financial-information
* Health Insurance Portability and Accountability Act of 1996 (HIPAA) http://www.hhs.gov/ocr/hipaa/? - USA Patriot Acthttp://www.justice.gov/archive/ll/highlights.htm
- Various State Security Breach Notification Laws, including Indianahttp://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
- Information Security Policy To be drafted
- Student Records Policy (FERPA) http://www.valpo.edu/generalcounsel/assets/docs/Ferpa.pdf
- HIPAA Policy http://www.valpo.edu/generalcounsel/assets/docs/hipaa%20vu%20policy%20notice.pdf
- Record Retention and Document Destruction Policy http://www.valpo.edu/generalcounsel/assets/docs/Records%20Retention%20Schedule.pdf
- Federal Information Processing Standards Publication 199: Standards for Security Categorizationhttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Internal Revenue Service Publication 1075: Tax Information Security Guidelines http://www.irs.gov/pub/irs-pdf/p1075.pdfh1.
Anchor _Toc291425064 _Toc291425064
Data Handling RecommendationsAnchor _Toc294260381 _Toc294260381
The following table outlines recommended safeguards for protecting data and data collections based on their classification. In addition to the following data security guidelines, any data covered by federal or state laws or regulations or contractual agreements should meet the security requirements defined by those laws, regulations, or contracts.Security Control Category
Data Classification
Public
Private
Restricted
Access Controls
(Who has privileges to access information; technical controls for access)No restriction for viewing.
Authorization by Data Governor is required for access to modify.
Authentication is required for access to modify.Access to view or modify is restricted to authorized individuals as needed for business-related roles.
Authorization by Data Governor is required for access.
Authentication is required for access. Multi-factor authentication is recommended.
Remote access by third party for technical support is limited to authenticated, temporary access via direct connection or secure protocols over the Internet with continuous oversight by authorized University Personnel.
Network access via local network or VPN is recommended.Access to view or modify is restricted to authorized individuals as needed for business-related roles.
Authorization by Data Governor is required for access.
Authentication is required for access. Multi-factor authentication is recommended.
Confidentiality agreement is required.
Remote access by third party for technical support is limited to authenticated, temporary access via direct connection or secure protocols over the Internet with continuous oversight by authorized University Personnel.
Network access via local network or VPN is required.Copying/Printing/Transmission
(Applies to both paper and electronic format)No restrictions.
Copies should be limited to individuals with a need to know.
Copies should not be left unattended on a printer/fax.
Copies can be sent via Campus Mail or University email system.
Digital encryption is recommended (e.g., via SSL or secure file transfer protocols).Copies should be limited to individuals authorized to access the data and who have signed a confidentiality agreement.
Copies should not be left unattended on a printer/fax.
Digital encryption is recommended (e.g., via SSL or secure file transfer protocols). Should not transmit via e-mail unless encrypted and secured with a digital signature.Network Security
(The network to which the system hosting or managing the data is directly connected.)May reside on a public or unsecure network.
Protection with a firewall is recommended.
Protection only with router access control lists (ACLs) acceptable.
IDS/IPS (intrusion detection system / intrusion prevention system) protection is recommended.Protection with a network firewall is required.
Protection with router ACLs is recommended.
System or server hosting the data should not be visible to entire Internet.
IDS/IPS protection is recommended.Protection with a network firewall is required.
Protection with router ACLs is recommended.
System or server hosting the data must not be visible to the entire Internet nor to unauthorized subnets.
IDS/IPS protection is recommended.System Security
(The system that hosts or manages access to the data. Applies to both centrally-managed and end-user devices)Should follow general best practices for system management and security.
Host-based software firewall is recommended.Must follow University-specific and OS-specific best practices for system management and security.
Protection with a firewall is recommended.
IDS/IPS protection is recommended.
Use of system managed in University Data Center or University-approved Cloud Provider is recommended.Must follow University-specific and OS-specific best practices for system management and security.
Protection with a firewall is required.
IDS/IPS protection is recommended.
Use of system managed in University Data Center or University-approved Cloud Provider is required.Physical Security
(Physical security of area where the system hosting or managing access to the data is located)System or location should be locked or system logged out when unattended.
System should be locked or logged out when unattended.
Located in a secure locked location is recommended; the University Data Center or University-approved Cloud Provider is recommended.System must be locked or logged out when unattended.
Located in a secure locked location is required; the University Data Center or University-approved Cloud Provider is required.Data Storage
No restrictions.
Storage on a secure server is recommended.
Storage in University Data Center or University-approved Cloud Provider is recommended.
If data stored on individual workstation or mobile device, encryption is recommended.Storage on a secure server is recommended.
Storage in University Data Center or University-approved Cloud Provider is recommended.
If data stored on individual workstation or mobile device, encryption is required.Backup/Disaster Recovery
Regular data backup is recommended.
Daily backup is recommended.
Off-site storage is recommended.
Encryption on backup media is recommended.Daily backup is required.
Off-site storage in a secure location is required.
Encryption on backup media is recommended.Media Sanitization and Disposal
(Hard drives, CDs, DVDs, tapes, paper, etc.)No restrictions.
Shred reports; destroy electronic media.
Shred reports.
Destroy or overwrite electronic media.Security Awareness Training
General security awareness training is recommended.
General security awareness training is required.
Data security training is required.General security awareness training is required.
Data security training is required.
Applicable policy and regulation training is required.Workstations and Mobile Devices
(E.g., individual workstations, laptop computers, tablets, smartphones, or similar devices)Password protection is recommended; workstation inactivity auto-lock is recommended.
Password protection is recommended; workstation inactivity auto-lock is recommended.
Encryption is recommended when data stored on device.Password protection is required; workstation inactivity auto-lock is required.
Encryption is required when data stored on device.Definitions
University-approved Cloud Provider – An externally hosted service or system that has been designated by the University as appropriate for specific data storage or management functionalities. Examples include Google Apps for Education, iModules (Alumni portal), SchoolDude (Facilities Management), Handshake, EMS, among others. These services have been vetted and contracted (typically) by the University to meet specific information security and data handling standards as appropriate to the type of information processing performed by each system.