Policy 922 - Information Classification Policy

Section: Information Technology
Policy Number: 922
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20

Policy Statement

The objective of this policy is to provide a classification system for all St. John’s University (St. John’s) data and documents (information assets) to which an appropriate security class can be assigned.

St. John’s holds many information assets that must be protected against unauthorized access, disclosure, modification, or other misuses. Efficient management of these assets is also necessary in order to comply with legal obligations, such as the General Data Protection Regulation (GDPR).

Different types of information assets require different security measures. Proper classification is vital to ensuring effective data security and management. Each security class listed in the summary tables below has defined data management controls that determine how information assets should be handled throughout its lifecycle. These controls are applied to all information assets held by St. John’s.

Scope and Applicability

This policy is to be applied to all information held by St. John’s, including data and documents relating to teaching, research, and administration. The focus of the policy is on information held in an electronic format; however, the policy also requires departments to apply appropriate controls to information held in hard copy. The policy encompasses storage, access, sharing and resilience of information assets. The scope of this policy covers the entire University Community.

Policy

Data classification establishes management’s tolerance of risk through the categorization of data, which conveys required safeguards for information confidentiality, integrity, and availability. These protection measures are usually based on qualified information value and risk acceptance.

St. John’s has set forth the following data classification based on the level of sensitivity, value, and the aptitude of impact incurred when altered, disclosed, and/or destroyed.

Data classification takes into account the following: reputational; financial; operational; strategic; and compliance impact to St. John’s.

St. John’s Data is classified into three categories:

Restricted Protected Data
Private Protected Data
Non-Public Data and Public Data

Data Classification

Risk from Disclosure

Description

Examples

Category I: Restricted Protected Data

High

Personally identifiable data includes information whose unauthorized access or loss could seriously or adversely affect: St. John's; an authorized, contracted partner; specific individuals; or the public. Security breaches of this information may be subject to breach notification laws.

Regulated data includes information subject to federal, state, or business regulations (e.g., HIPAA, PCI, Red Flag Rules) that require specific levels of protection to prevent its unauthorized use.

Statutory Data

Social Security Number
Driver's License Number
DMV State-issued Non-driver's ID Number
Passport Number
Bank/Financial Account Number
Credit/Debit Card Number
Electronic Protected Health Information-HIPAA
Gramm Leach Bliley data and other data protected by law or regulation
FERPA-protected data
Electronic Credentials (PINS, Passwords, Tokens, etc.)
Law Enforcement Active Investigation Data

Declared Data

System Administrator/Net ID Authentication Credentials
Attorney-Client Privilege
Information

These examples are not an exhaustive list of this classification's data.

Data Classification

Risk from Disclosure

Description

Examples

Category II: Private Protected Data

Moderate

Category II includes regulated data subject to FERPA or other federal, state, or business regulation; any data specifically exempt from release/disclosure to the public by regulation.

Academic Transcript
Student Disciplinary or Judicial Action Information
Law Enforcement Investigation Data
Other HR Employee Data
Collective Bargaining Agreement Confidential Proceedings
Public Safety Information
IT Infrastructure Data
Protected Data Related to Research
St. John’s Intellectual Property
St. John’s Proprietary Data
St. John’s Non-Public Financial Data
Non-Public Meeting Minutes
Data about Decisions that Affect the Public
Human Subject Research
Immigration documents (e.g. Visas)
Administrative Process Data
St. John’s XID number
Licensed Software
Donor Records (individual)
Employee ID Card
Data Protected by Non-Disclosure Agreements
Collective Bargaining/ Contract Negotiation Data
Final Course Grades (Exam Questions and Answers

These examples are not an exhaustive list of this classification's data.

Data Classification

Risk from Disclosure

Description

Examples

Category III:
Non-Public Data And Public Data

Low

All non-public data not included in Category I & II and data for which disclosure poses limited impact or risk to St. John's or individuals.

Public data: St. John's must take steps to protect the accuracy of this data.

St. John's /FERPA Classified Directory Information (unless there is a privacy block)
Course Catalog
Public website
Published Research

These examples are not an exhaustive list of this classification's data.

Definitions

The following are definitions relevant to the policy:

Computing Resources: All St. John’s information processing resources including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
Institutional Data: All data owned or licensed by St. John’s.
University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.
Information Asset: A collection of any type of data, irrespective of type (e.g. numerical data, text) and form (e.g. digital or hard copy).
Data Owner: The person or department who acts as the principle authority and has overall responsibility for the information asset and for ensuring that it is managed securely and in compliance with St. John’s and government regulations and policies. The Data Owner may delegate day-to-day responsibility for management of the data to a Data Administrator, service group or other persons.
Data Administrator: The staff member or department delegated with overall responsibility for day-to-day management of the information asset in accordance with St. John’s and government regulations and policies. Processes and procedures used to manage the data should have been implemented by the Data Owner. For some data, particularly small datasets, the Data Owner and Data Administrator may be the same person.
Security Class: Defines how an information asset should be handled. The classes are: Open, Confidential and Secret. The classification of an information asset may change over time.
Data Management Plan: A document that describes how the data associated with a project will be handled, both during its lifetime and after it has been completed.
Information Asset Register: A document listing information assets and key metadata about them: owner, administrator, location, user access, retention policy, and information class.

Compliance

St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.