Embed Size (px)
Citation preview
Data Classification Policy (10.8) 1
Information Technology Security Plan Data Classification Policy (10.8) Responsible executive: CIO Approval date: 7/01/2016 Responsible office: ITS Effective date: 7/01/2016
Related policies: IT Security Plan, Administrative Access Security Policy 1.0 Policy Statement All members of the university community have a responsibility to protect university data from unauthorized access, modification, disclosure, transmission or destruction. Data classification is a method of assigning a level of sensitivity to data. The classification of the data determines the extent to which it needs to be controlled and secured. This policy defines the required data protection criteria based on its classification. 2.0 Reason for Policy The purpose of this policy to provide a framework for securing data from unauthorized disclosure, use, modification and deletion based on its classification level. 3.0 Applicability This policy applies to all employees, students, contractors and other affiliates who are authorized to access institutional data. 4.0 Policy 4.1 Data Classification Scheme Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise. Three levels of data classification will be used to classify university data based on how the data are used, its sensitivity to unauthorized disclosure, and compliance to state and federal regulations:
• Public -‐ Data approved for distribution to the public without restriction. It can be freely distributed without potential harm to the university, affiliates, or individuals. Public data generally have low sensitivity; however, it still may be subject to university disclosure rules. Examples include:
o SSU public web site o Directory information o Press releases
Data Classification Policy (10.8) 2
• Sensitive -‐ Data that is restricted to members of the university community who have a legitimate purpose to access the information. Sensitive data must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. Examples include:
o Employment data o Financial transactions o Purchasing data
• Confidential – Data that is restricted and must be controlled from creation to
destruction. Access to restricted data must be requested from and authorized by the data owner who is responsible for the data. Access to restricted data will be granted only to those persons who require access in order to perform their job, or to those individuals permitted by law. Examples include:
o Medical records o Social security number o Credit card number
4.2 Data Security Standards The following defines data security controls to safeguard data based on classification levels. In addition to the following data security standards, any data covered by federal or state laws, regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts. Public data:
• No restriction for viewing • Authorization by data owner required for modification
Sensitive data:
• Viewing and modification restricted to authorized users • Authentication and authorization required for access • Data owner grants permission for access with supervisor approval
Confidential data:
• Viewing and modification restricted to authorized users • Authentication and authorization required for access • Data owner grants permission for access with supervisor approval • Confidentiality agreement required
