Purpose
Scope
Institutional Data Classification Levels
Classification of Institutional Data
Rubrics for Classification
Predefined Types of Restricted Data
Related state or federal privacy regulations
Related Policies and Guidelines
Data Handling Recommendations

Purpose

The purpose of this policy is to define a framework for classifying and handling Institutional Data based on its level of sensitivity, value and criticality to the University.
Data classification, in the context of information security, is the classification of data based on its impact to the University should that data be disclosed, altered or destroyed without authorization. Classification of data helps determine what baseline security controls are appropriate for safeguarding that data.

Scope

This Policy applies to all employees and third-party Agents of the University as well as any other University affiliates who access, process, or store Institutional Data.

Institutional Data Classification Levels

Institutional Data is any data related to the business of the University including, but not limited to, financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the department level as well as centrally, regardless of the media or system on which they reside. In the case of data in digital format, Institutional Data includes records that are stored in on-premise University data systems as well as systems provided by means of Internet-hosted service providers (i.e., "Cloud" hosted systems or applications). All institutional data must be maintained on University-approved systems (storage of Institutional data in any personal accounts, such as personal Dropbox accounts or personal Google accounts, among others, is prohibited).
All Institutional Data is classified into one of three classifications: Restricted, Private, or Public.

A.  Restricted Data

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates.  Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.  The highest level of security controls should be applied to Restricted data.
Confidential Data / Sensitive Data are generalized terms that typically represent data classified as Restricted, according to the data classification scheme defined in this Guideline.  These terms are often used interchangeably.

B.  Private Data

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates.  By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data.  A reasonable level of security controls should be applied to Private data.

C.  Public Data

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.  Examples of Public data include press releases, course information and research publications.  While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
Non-public Information is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline.

Data Collections

Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student's name, address and social security number, the data collection should be classified as Restricted even though the student's name and address may be considered Public information. Authorization for access to a data collection is governed by its most restrictive data field. When retrieval of restricted data is required by a third party, it will authorized only by order of the General Counsel.

Classification of Institutional Data

Classification Process (major examples – not an exhaustive list)

Classification of Institutional Data is performed by an appropriate University Data Steward in cooperation with Information Services and related Data Governors.
A Data Governor is the relevant office that is responsible for the accuracy, integrity, and timeliness of certain data, and that has authority to grant or deny permission to access to that data.
A Data Steward is an employee of the University assigned by the relevant Data Governor to oversee the lifecycle of one or more sets of Institutional Data.
On a regular basis, the Data Steward will evaluate the classification of Institutional Data to ensure the assigned classification is appropriate based on changes to legal and contractual obligations or changes in the use of the data or its value to the University. Conducting an evaluation on at least an annual basis is encouraged.
If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.
In general, University information is managed according to protocols defined by the following offices:

Rubrics for Classification

In some cases, appropriate data classification is guided by state or federal laws that require the University to protect certain types of data (e.g., personally identifiable information such as a social security number or FERPA-protected student education records). In other cases, Data Stewards will consider each security objective using Table 3 as a guide.  
As the total potential impact to the University increases from Low to High, the classification of data should become more restrictive moving from Public to Restricted.

Predefined Types of Restricted Data

The University has defined several types of Restricted Data based on state and federal regulatory requirements. These are defined as follows:

Authentication Verifier

An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are.  In some instances, an Authentication Verifier may be shared among a small group of individuals.  An Authentication Verifier may also be used to prove the identity of a system or service.  Examples include, but are not limited to:

• Passwords
• Shared secrets
• Cryptographic private keys

Personally Identifiable Information ("PII")

For the purpose of meeting security breach notification requirements, PII is defined as a person's first name or first initial and last name in combination with one or more of the following data elements:

• Social Security number
• State-issued driver's license number
• State-issued identification card number
• Date of birth
• Financial account number in combination with a security code, access code or password that would permit access to the account.
• Medical and/or health insurance information

Personally Identifiable Education Records – Covered under FERPA

Personally Identifiable Education Records are defined as any Education Records that contain one or more of the following personal identifiers:

• Student number
• Grades, GPA, credits enrolled
• Social Security number
• A list of personal characteristics or any other information that would make the student's identity easily traceable

Note: The University classifies directory information that is generally considered to be public information as Public. See Valparaiso University's Student Records Policy (FERPA) (http://www.valpo.edu/generalcounsel/assets/docs/Ferpa.pdf) for more information on this directory information and on what constitutes an Education Record.

Payment Card Information

Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

• Cardholder name
• Service code
• Expiration date
• CVC2, CVV2 or CID value
• PIN or PIN block
• Contents of a credit card's magnetic stripe

Federal Tax Information ("FTI")

Federal Tax Information (FTI) is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services. See "Internal Revenue Service Publication 1075: Tax Information Security Guidelines" (http://www.irs.gov/pub/irs-pdf/p1075.pdf) under for more information.

Protected Health Information ("PHI")

Protected Health Information ("PHI") is individually identifiable health information, including demographic information, collected from an individual or created or received by a health care provider, a health care clearinghouse, a health plan, or Valparaiso University on behalf of a group health plan, which relates to:

• An individual's past, present or future physical or mental health or condition;
• Providing health care to an employee or student; or
• Making past, present or future payments for providing health care to an employee or student.

PHI is considered individually identifiable if it contains one or more of the following identifiers:

• Name
• Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
• All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate number
• Device identifiers and serial numbers
• Universal Resource Locators (URLs)
• Internet protocol (IP) addresses
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic or code that could identify an individual

Note: Valparaiso University does not collect, maintain, or have access to employee health records except when required for administration of the health insurance Group Benefit Plans or when required by business necessity. In such cases, the following documents may be accessible:

• Health insurance application form
• Life insurance application form
• Request for medical leave of absence
• Workers' compensation report of injury or illness
• OSHA injury and illness reports

The list of accessible documents (above) may vary based on the situation and necessary involvement of the Human Resources Office. Full details are outlined in the University HIPAA Policy (http://www.valpo.edu/generalcounsel/assets/docs/hipaa%20vu%20policy%20notice.pdf).

Related state or federal privacy regulations

Laws that influence and affect these guidelines include but are not limited to:

• Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) http://www.cleryact.info
• Children's Online Privacy Protection Rule (COPPA) https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
  * The Digital Millennium Copyright Act (DMCA)http://www.copyright.gov/legislation/dmca.pdf?
• Electronic Communications Privacy Act of 1986 (ECPA)https://it.ojp.gov/default.aspx?area=privacy&page=1285
• Family Educational Rights and Privacy Act (FERPA) http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
• Higher Education Opportunity Act (HEOA) http://www2.ed.gov/policy/highered/leg/hea08
• Gramm-Leach-Bliley Act - Privacy of Consumer Financial Information (GLBA)https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/privacy-consumer-financial-information
  * Health Insurance Portability and Accountability Act of 1996 (HIPAA) http://www.hhs.gov/ocr/hipaa/?
• USA Patriot Acthttp://www.justice.gov/archive/ll/highlights.htm
• Various State Security Breach Notification Laws, including Indianahttp://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Related Policies and Guidelines

• Information Security Policy To be drafted
• Student Records Policy (FERPA) http://www.valpo.edu/generalcounsel/assets/docs/Ferpa.pdf
• HIPAA Policy http://www.valpo.edu/generalcounsel/assets/docs/hipaa%20vu%20policy%20notice.pdf
• Record Retention and Document Destruction Policy http://www.valpo.edu/generalcounsel/assets/docs/Records%20Retention%20Schedule.pdf
• Federal Information Processing Standards Publication 199: Standards for Security Categorizationhttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

• Internal Revenue Service Publication 1075: Tax Information Security Guidelines http://www.irs.gov/pub/irs-pdf/p1075.pdfh1. Data Handling Recommendations
  The following table outlines recommended safeguards for protecting data and data collections based on their classification. In addition to the following data security guidelines, any data covered by federal or state laws or regulations or contractual agreements should meet the security requirements defined by those laws, regulations, or contracts.

  Security Control Category	Data Classification
  	Public	Private	Restricted
  Access Controls (Who has privileges to access information; technical controls for access)	No restriction for viewing. Authorization by Data Governor is required for access to modify. Authentication is required for access to modify.	Access to view or modify is restricted to authorized individuals as needed for business-related roles. Authorization by Data Governor is required for access. Authentication is required for access. Multi-factor authentication is recommended. Remote access by third party for technical support is limited to authenticated, temporary access via direct connection or secure protocols over the Internet with continuous oversight by authorized University Personnel. Network access via local network or VPN is recommended.	Access to view or modify is restricted to authorized individuals as needed for business-related roles. Authorization by Data Governor is required for access. Authentication is required for access. Multi-factor authentication is recommended. Confidentiality agreement is required. Remote access by third party for technical support is limited to authenticated, temporary access via direct connection or secure protocols over the Internet with continuous oversight by authorized University Personnel. Network access via local network or VPN is required.
  Copying/Printing/Transmission (Applies to both paper and electronic format)	No restrictions.	Copies should be limited to individuals with a need to know. Copies should not be left unattended on a printer/fax. Copies can be sent via Campus Mail or University email system. Digital encryption is recommended (e.g., via SSL or secure file transfer protocols).	Copies should be limited to individuals authorized to access the data and who have signed a confidentiality agreement. Copies should not be left unattended on a printer/fax. Digital encryption is recommended (e.g., via SSL or secure file transfer protocols). Should not transmit via e-mail unless encrypted and secured with a digital signature.
  Network Security (The network to which the system hosting or managing the data is directly connected.)	May reside on a public or unsecure network. Protection with a firewall is recommended. Protection only with router access control lists (ACLs) acceptable. IDS/IPS (intrusion detection system / intrusion prevention system) protection is recommended.	Protection with a network firewall is required. Protection with router ACLs is recommended. System or server hosting the data should not be visible to entire Internet. IDS/IPS protection is recommended.	Protection with a network firewall is required. Protection with router ACLs is recommended. System or server hosting the data must not be visible to the entire Internet nor to unauthorized subnets. IDS/IPS protection is recommended.
  System Security (The system that hosts or manages access to the data. Applies to both centrally-managed and end-user devices)	Should follow general best practices for system management and security. Host-based software firewall is recommended.	Must follow University-specific and OS-specific best practices for system management and security. Protection with a firewall is recommended. IDS/IPS protection is recommended. Use of system managed in University Data Center or University-approved Cloud Provider is recommended.	Must follow University-specific and OS-specific best practices for system management and security. Protection with a firewall is required. IDS/IPS protection is recommended. Use of system managed in University Data Center or University-approved Cloud Provider is required.
  Physical Security (Physical security of area where the system hosting or managing access to the data is located)	System or location should be locked or system logged out when unattended.	System should be locked or logged out when unattended. Located in a secure locked location is recommended; the University Data Center or University-approved Cloud Provider is recommended.	System must be locked or logged out when unattended. Located in a secure locked location is required; the University Data Center or University-approved Cloud Provider is required.
  Data Storage	No restrictions.	Storage on a secure server is recommended. Storage in University Data Center or University-approved Cloud Provider is recommended. If data stored on individual workstation or mobile device, encryption is recommended.	Storage on a secure server is recommended. Storage in University Data Center or University-approved Cloud Provider is recommended. If data stored on individual workstation or mobile device, encryption is required.
  Backup/Disaster Recovery	Regular data backup is recommended.	Daily backup is recommended. Off-site storage is recommended. Encryption on backup media is recommended.	Daily backup is required. Off-site storage in a secure location is required. Encryption on backup media is recommended.
  Media Sanitization and Disposal (Hard drives, CDs, DVDs, tapes, paper, etc.)	No restrictions.	Shred reports; destroy electronic media.	Shred reports. Destroy or overwrite electronic media.
  Security Awareness Training	General security awareness training is recommended.	General security awareness training is required. Data security training is required.	General security awareness training is required. Data security training is required. Applicable policy and regulation training is required.
  Workstations and Mobile Devices (E.g., individual workstations, laptop computers, tablets, smartphones, or similar devices)	Password protection is recommended; workstation inactivity auto-lock is recommended.	Password protection is recommended; workstation inactivity auto-lock is recommended. Encryption is recommended when data stored on device.	Password protection is required; workstation inactivity auto-lock is required. Encryption is required when data stored on device.

  Definitions

  University-approved Cloud Provider – An externally hosted service or system that has been designated by the University as appropriate for specific data storage or management functionalities. Examples include Google Apps for Education, iModules (Alumni portal), SchoolDude (Facilities Management), Handshake, EMS, among others. These services have been vetted and contracted (typically) by the University to meet specific information security and data handling standards as appropriate to the type of information processing performed by each system.