Policy 922 - Information Classification Policy

Section: Information Technology
Policy Number: 922
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

The objective of this policy is to provide a classification system for all University data and documents (information assets) to which an appropriate security class can be assigned.

The University holds many information assets that must be protected against unauthorized access, disclosure, modification, or other misuses. Efficient management of these assets is also necessary in order to comply with legal obligations, such as the General Data Protection Regulation (GDPR).

Different types of information assets require different security measures. Proper classification is vital to ensuring effective data security and management. Each security class listed in the summary tables below has defined data management controls that determine how information assets should be handled throughout its lifecycle. These controls are applied to all information assets held by St. John’s University (St. John’s).

Scope and Applicability

This policy is to be applied to all information held by St. John’s, including data and documents relating to teaching, research and administration. The focus of the policy is on information held in an electronic format; however, the policy also requires departments to apply appropriate controls to information held in hard copy. The policy encompasses storage, access, sharing and resilience of information assets.

Policy

Data classification establishes management’s tolerance of risk through the categorization of data to convey required safeguards for information confidentiality, integrity and availability. These protection measures are usually based on qualified information value and risk acceptance.  

St. John’s has set forth the following data classification based on the level of sensitivity, value, and the aptitude of impact incurred when altered, disclosed, and/or destroyed.

Data classification takes into account the following: reputational; financial; operational; strategic; and compliance impact to the University.

St. John’s Data is classified into three categories:

  • Restricted Protected Data
  • Private Protected Data
  • Non - Public Data and Public Data

Data Classification

Risk from Disclosure

Description

Examples

Category I: Restricted Protected DataHighPersonally identifiable data includes information whose unauthorized access or loss could seriously or adversely affect: the University; an authorized, contracted partner; specific individuals; or the public. Security breaches of this information may be subject to breach notification laws. 

Regulated data includes information subject to federal, state, or business regulations (e.g., HIPAA, PCI, Red Flag Rules) that require specific levels of protection to prevent its unauthorized use. 

Statutory Data

  • Social Security Number
  • Driver's License Number
  • DMV State-issued Non-driver's ID number 
  • Passport Number
  • Bank/Financial Account Number
  • Credit/Debit Card Number
  • Electronic Protected Health Information-HIPAA
  • Gramm Leach Bliley data and other data protected by law or regulation
  • FERPA-protected data
  • Electronic Credentials (PINS, Passwords, Tokens, etc.)
  • Law Enforcement Active Investigation Data

Declared Data

  • System Administrator/Net ID Authentication Credentials
  • Attorney-Client Privilege
  • Information

These examples are not an exhaustive list of this classification's data.

 

 

Data Classification

Risk from Disclosure

Description

Examples

Category II: Private Protected Data

Moderate

Category II includes regulated data, subject to FERPA or other federal, state, or business regulation; any data specifically exempt from release/disclosure to the public by regulation. 

  • Academic transcript
  • Student Disciplinary or Judicial Action Information
  • Law Enforcement Investigation Data
  • Other HR Employee Data
  • Collective Bargaining Agreement Confidential Proceedings 
  • Public Safety Information
  • IT Infrastructure Data
  • Protected Data Related to Research
  • University Intellectual Property
  • University Proprietary Data
  • University Non-Public Financial Data
  • Non-Public Meeting Minutes
  • Data about decisions that affect the public
  • Human subject research
  • Immigration documents (e.g. visas)
  • Administrative process data
  • University XID number
  • Licensed Software
  • Donor Records (individual)
  • Employee ID Card
  • Data protected by non-disclosure agreements
  • Collective Bargaining/Contract Negotiation Data
  • Final Course Grades (Exam Questions and Answers)

These examples are not an exhaustive list of this classification's data.

 

Data Classification

Risk from Disclosure

Description

Examples

Category III: 
Non-Public Data And Public Data

Low

All non-public data not included in Category I & II and data for which disclosure poses limited impact or risk to the University or individuals.

Public data: The University must take steps to protect the accuracy of this data.

  • University/FERPA Classified Directory Information (unless there is a privacy block)
  • Course Catalog 
  • Public website
  • Published Research

These examples are not an exhaustive list of this classification's data. 

Definitions

The following are the definitions relevant to the policy:

  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
  • Institutional Data: All data owned or licensed by the University
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.
  • Information Asset: An information asset is a collection of any type of data, irrespective of type (e.g. numerical data, text) and formation (e.g. digital or hard copy).
  • Data Owner: The Data Owner is the person or department within UEA who acts as the principle authority and has overall responsibility for the information asset and for ensuring that it is managed securely and in compliance with University and government regulations and policies. The Data Owner may delegate day-to-day responsibility for management of the data to a Data Administrator, service group or other persons.
  • Data Administrator: The Data Administrator is the UEA staff member or department delegated with overall responsibility for day-to-day management of the information asset in accordance with University and government regulations and policies. Processes and procedures used to manage the data should have been agreed with the Data Owner. For some data, particularly small datasets, the Data Owner and Data Administrator may be the same person.
  • Security Class: Defines how an information asset should be handled. The classes are: Open, Confidential and Secret. The classification of an information asset may change over time.
  • Data Management Plan: A document which describes how you will handle the data associated with a project, both during its lifetime and after it has completed.
  • Information Asset Register: A document listing your information assets and key metadata about them: owner, administrator, location, user access, retention policy, and information class.

Compliance

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • STD-DC-001 Data Classification Standard