- Home
- My St. John's
- Policy 922 - Information Classification Policy
Section: Information Technology
Policy Number: 922
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20
Policy Statement
The objective of this policy is to provide a classification system for all St. John’s University (St. John’s) data and documents (information assets) to which an appropriate security class can be assigned.
St. John’s holds many information assets that must be protected against unauthorized access, disclosure, modification, or other misuses. Efficient management of these assets is also necessary in order to comply with legal obligations, such as the General Data Protection Regulation (GDPR).
Different types of information assets require different security measures. Proper classification is vital to ensuring effective data security and management. Each security class listed in the summary tables below has defined data management controls that determine how information assets should be handled throughout its lifecycle. These controls are applied to all information assets held by St. John’s.
Scope and Applicability
This policy is to be applied to all information held by St. John’s, including data and documents relating to teaching, research, and administration. The focus of the policy is on information held in an electronic format; however, the policy also requires departments to apply appropriate controls to information held in hard copy. The policy encompasses storage, access, sharing and resilience of information assets. The scope of this policy covers the entire University Community.
Policy
Data classification establishes management’s tolerance of risk through the categorization of data, which conveys required safeguards for information confidentiality, integrity, and availability. These protection measures are usually based on qualified information value and risk acceptance.
St. John’s has set forth the following data classification based on the level of sensitivity, value, and the aptitude of impact incurred when altered, disclosed, and/or destroyed.
Data classification takes into account the following: reputational; financial; operational; strategic; and compliance impact to St. John’s.
St. John’s Data is classified into three categories:
- Restricted Protected Data
- Private Protected Data
- Non-Public Data and Public Data
Data Classification | Risk from Disclosure | Description | Examples |
Category I: Restricted Protected Data | High | Personally identifiable data includes information whose unauthorized access or loss could seriously or adversely affect: St. John's; an authorized, contracted partner; specific individuals; or the public. Security breaches of this information may be subject to breach notification laws. Regulated data includes information subject to federal, state, or business regulations (e.g., HIPAA, PCI, Red Flag Rules) that require specific levels of protection to prevent its unauthorized use. | Statutory Data
Declared Data
These examples are not an exhaustive list of this classification's data.
|
Data Classification | Risk from Disclosure | Description | Examples |
Category II: Private Protected Data | Moderate | Category II includes regulated data subject to FERPA or other federal, state, or business regulation; any data specifically exempt from release/disclosure to the public by regulation. |
These examples are not an exhaustive list of this classification's data. |
Data Classification | Risk from Disclosure | Description | Examples |
Category III: | Low | All non-public data not included in Category I & II and data for which disclosure poses limited impact or risk to St. John's or individuals. Public data: St. John's must take steps to protect the accuracy of this data. |
These examples are not an exhaustive list of this classification's data. |
Definitions
The following are definitions relevant to the policy:
- Computing Resources: All St. John’s information processing resources including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
- Institutional Data: All data owned or licensed by St. John’s.
- University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.
- Information Asset: A collection of any type of data, irrespective of type (e.g. numerical data, text) and form (e.g. digital or hard copy).
- Data Owner: The person or department who acts as the principle authority and has overall responsibility for the information asset and for ensuring that it is managed securely and in compliance with St. John’s and government regulations and policies. The Data Owner may delegate day-to-day responsibility for management of the data to a Data Administrator, service group or other persons.
- Data Administrator: The staff member or department delegated with overall responsibility for day-to-day management of the information asset in accordance with St. John’s and government regulations and policies. Processes and procedures used to manage the data should have been implemented by the Data Owner. For some data, particularly small datasets, the Data Owner and Data Administrator may be the same person.
- Security Class: Defines how an information asset should be handled. The classes are: Open, Confidential and Secret. The classification of an information asset may change over time.
- Data Management Plan: A document that describes how the data associated with a project will be handled, both during its lifetime and after it has been completed.
- Information Asset Register: A document listing information assets and key metadata about them: owner, administrator, location, user access, retention policy, and information class.
Compliance
St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.