Data Classification Policy
All members of the Lycoming College community have a responsibility to protect Institutional Data from unauthorized access, modification, or disclosure and are expected to understand and comply with this policy. Data Classification is an established framework for classifying institutional data based on its level of sensitivity, value, and criticality to the College. The classification of data will aid in determining the baseline security controls for the protection of data.
This policy applies to all faculty, staff, students, student employees, volunteers, and contractors who have access to Institutional Data. This policy covers data that is stored, accessed, or transmitted in any and all formats, including electronic, magnetic, optical, paper, or other non-digital formats. With the exception of those classes of data expressly protected by statute, contract, or industry regulation, the data classification examples presented below are guidelines. The data owner and data stewards are ultimately responsible for the classification of data under his or her management. Classifications for particular data sets may be adjusted based on risk assessment or documented business need.
Roles and Responsibilities
Data Owner — the Administrative Cabinet member who has organizational responsibility for the College Information Systems and/or Institutional Data used and maintained within their division.
- Review and recommend strategies to implement information security policies.
- Analyze the business impact of proposed strategies.
- Approve proposed strategies.
- Champion accepted strategies within their respective division.
- Consult with appropriate parties on the review and approval of information security policy exceptions.
Data Steward — a senior-level employee of the College who oversees the lifecycle of one or more sets of Institutional Data
- Assign an appropriate classification to Institutional Data.
- Assign day-to-day administrative and operation responsibility for Institutional Data to one or more Data Custodians.
- Approve standards and procedures related to day-to-day administrative and operational management of Institutional Data.
- Ensure Data Custodians implement reasonable and appropriate security controls to protect the confidentiality, integrity and availability of Institutional Data.
- Understand and approve how Institutional Data is stored, processed and transmitted by the College and by third-party agents of the College.
- Define risk tolerance related to security threats that impact the confidentiality, integrity and availability of Institutional Data.
- Understand how Institutional Data is governed by College policies, state and federal regulations, contracts and other legally binding agreements.
Data Custodian — an employee of the College who has administrative and/or operational responsibility over Institutional Data
- Understand and report on how Institutional Data is stored, processed and transmitted by the College and by third-party agents of the College.
- Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of Institutional Data.
- Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of Institutional Data.
- Provision and deprovision access to Institutional Data as authorized by the Data Steward.
- Understand and report on security risks and how they impact the confidentiality, integrity and availability of Institutional Data.
Data User — is any employee, contractor or third-party agent of the College who is authorized to access College Information Systems and/or Institutional Data.
- Adhere to policies, guidelines and procedures pertaining to the protection of Institutional Data.
- Report actual or suspected vulnerabilities in the confidentiality, integrity or availability of Institutional Data to a manager and the Chief Information Officer.
- Report actual or suspected breaches in the confidentiality, integrity or availability of Institutional Data to a manager and the Chief Information Officer.
Data that is created, processed, collected, or maintained by the College is classified into the following three categories:
- Restricted Data (Confidential)
- Private Data (Sensitive)
- Public Data
Restricted Data (Confidential)
- Data are considered Restricted when their unauthorized disclosure, alteration or destruction would cause a significant level of risk to the College or its affiliates. Restricted data should only be disclosed to individuals and business partners on a strict need-to-know basis.
- Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.
- Payment Card Industry (PCI) data including credit card numbers, card security codes (CVV2 codes), and authorization codes
- Password, password hashes, encryption keys and cryptographic tokens used for authentication to a College information systems or for the encryption of any other restricted data.
- Personal (unique) identification details including Social Security Number, driver's license, passport and student/travel visa numbers
- Health Insurance Portability and Accountability Act (HIPAA) data including healthcare information and insurance policy numbers
- Magnetic stripes, barcodes or proximity (RFID, NFC, etc.) data which is encoded on identification cards or key fobs and is used for authentication, point of sale, or physical security systems.
- Financial account details including checking, investment, or retirement account numbers.
- Transmission and storage of Restricted data must maintain the highest level of protection.
- Must never be transmitted via email or text.
- Strong passwords and stored on devices which have protection and encryption measures.
- Protected by ITS-approved encryption when stored on any device or media that are not physically tethered to the College (mobile devices, optical or flash media, or backup tapes.
- Protected by ITS-approved encryption when transmitted across public networks such as the Internet.
- Protected by multi-factor authentication whenever such capabilities exist.
- Accessed via an ITS-approved secure (VPN like) connection when queried from a remote location.
- Stored only on College-owned devices. Confidential data are not permitted to be stored on any personally owned devices including mobile phones, laptops, or home computers.
- Must be stored only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis.
Private Data (Sensitive)
- Data are considered Private when their unauthorized disclosure, alteration or destruction would cause a moderate level of risk to the College or its affiliates. By default, all institutional data that is not explicitly classified as Restricted or Public data should be treated as Private data.
- Examples of Private data include data that must be guarded due to proprietary, ethical, privacy, or business process considerations. This classification applies even though there may be no legal or contractual controls which require such protection. By default, most administrative data fall into this classification.
- Admission applications
- Educational records and information protected by the Family Educational Rights and Privacy Act (FERPA)
- Employment applications, personnel files, benefits information, salary, birth dates, and personal contact information.
- Donor information: personal contact details, donation and gift amounts that are not disclosed to the public
- Privileged attorney-client communications
- Non-public College policies
- College internal memos and email, internal reports, budgets, plans, and financial information.
- Non-public contracts
- Faculty, staff, and student ID numbers
- Research data which has not been intentionally released.
- Transmission and storage of Private data requires some level of protection because its unauthorized disclosure, alteration, or destruction might cause damage to the College.
- Protected in order to prevent loss, theft, unauthorized access and/or unauthorized disclosure.
- Stored in a closed container (i.e. file cabinet, closed office, or department where electronic door access control systems are in place) in order to prevent disclosure when not in use.
- Must not be disclosed to parties outside the College without explicit written authorization by an appropriate data owner.
- Must not be stored on any cloud-based information systems not managed or contracted by the College.
- When practical, Private data should only be shared via systems which the College maintains full administrative control, which includes the ability to remove or modify the data in question.
- Information systems such as web servers must be properly secured to prevent the unauthorized modification of published private data.
- Interactive access to databases containing private data, should be properly secured.
Approved by the Information Technology Committee on 2016_11_22
- Data are considered Public when their unauthorized disclosure, alteration or destruction would cause little to no risk to the College or its affiliates. It should be understood that any information that is widely disseminated within the campus community is potentially available to the public at large.
- Examples of Public data include data that may or must be freely available to the general public. It is defined as information with no existing local, national, international, or contractual restrictions or access or usage.
- Faculty, staff, and student directories
- Campus maps
- Course Catalogs
- Event Calendars
- Transmission and storage of Public data must maintain proper security to prevent its unauthorized modification, unintended use, or distribution.
- When practical, public data should only be shared via systems which the College maintains full administrative control, which includes the ability to remove or modify the data in question.
- Information systems such as web servers must be properly secured to prevent the unauthorized modification of published public data.
- Interactive access to databases containing public data, such as online directories or library catalogs, should be properly secured using query rate limiting, CAPTCHAs, or similar technology to impede bulk downloads or entire collections of data.
Approved by the President’s Administrative Cabinet on 2017_03_08
Last Reviewed: 2017_03_08