Information Technology Services

Data Classification Policy

Effective March 30, 2020

1.0 Purpose

The purpose of this policy is to define the data classification requirements for information assets in electronic format and to ensure that data is secured and handled according to its sensitivity and the impact that theft, corruption, loss or exposure would have on the institution.

This policy has been developed to assist Union College and provide direction to the institution regarding identification, classification and handling of information assets.

    2.0 Definitions

    Data: Information in a specific representation, usually as a sequence of symbols that have meaning.

    Data Asset: Any entity that is comprised of data. The terms “information asset” and “data asset” are used interchangeably throughout this document.

    Source: Committee on National Security Systems Instruction No. 4009 (CNSSI-4009)

      3.0 Scope

      The scope of this policy includes all information assets governed by Union College. All personnel and third parties who have access to or utilize assets to process, store and/or transmit information for or on the behalf of Union College shall be subject to these requirements. This policy does not apply to:

      • Personal information,
      • Faculty Research, or
      • Teaching materials.

      4.0 Policy

      Union College has established the following requirements enumerated below regarding the classification of data to protect the institution’s information:

      4.1 Data Ownership and Accountability

      Data owners are identified as the individuals, roles or committees primarily responsible for information assets. These individuals are responsible for:

      • Identifying the organization’s information assets under their areas of supervision; and
      • Maintaining an accurate and complete inventory for data classification and handling purposes.

      Data owners are accountable for ensuring that their information assets receive an initial classification upon creation and a re-classification whenever reasonable. Re-classification of an information asset should be performed by the asset owners whenever the asset is significantly modified. Additionally, data owners are also responsible for reporting deficiencies in security controls to management.

      4.2 Data Classification

      Classification of data will be performed by the data asset owner based on specific, finite criteria. Refer to the Data Classification and Handling Procedure to determine how data should be classified. Data classifications will be defined as follows:

      • HIGH RISK - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial or reputational harm to the institution, institution staff or the community we serve. Federal or state breach notification would be required, identity or financial fraud, extreme revenue loss, or the unavailability of extremely critical systems or services would occur. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, financial aid data covered under Title IV of the Higher Education Act (as amended) and Gramm-Leach-Bliley Act (15 U.S. Code § 6801), social security number, banking and health information, payment card information and information systems’ authentication data.
      • MEDIUM RISK – Information whose loss, corruption, or unauthorized disclosure would likely cause limited personal, financial or reputational harm to the institution, institution staff or the community we serve. Federal or state breach notification would not be required, limited identity theft and very little revenue loss would occur, and the availability of critical systems would not be affected. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, some data elements found in HR employment records, and passport and visa numbers.
      • LOW RISK – Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial or reputational harm to the institution, institution staff or the community we serve. Common examples include, but are not limited sales and marketing strategies, promotional information, and policies.

      4.3 DIRECTORY INFORMATION

      4.3.1 Academic Personnel and Staff Directory Information

      Academic Personnel and Staff Directory Information is defined as the following:

      • Full Name
      • Title
      • Department
      • Office location
      • Room
      • Phone Extension
      • Email address

      4.3.2 Student Directory Information

      Student Directory Information is defined as the following:

      • Name of student
      • Telephone number
      • Email address
      • Class level
      • Dates of attendance
      • Major field of study
      • Number of course units in which student is enrolled
      • Degrees and honors received
      • Last school attended
      • Participation in official student activities
      • For intercollegiate athletic team members only:
        • Height
        • Weight

      4.4 Data Handling

      Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods must be described in the Data Classification and Handling Procedure.

      4.5 Re-Classification

      A re-evaluation of classified data assets will be performed at least once per year by the responsible data owners. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.

      4.6 Classification Inheritance

      Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

        5.0 Enforcement

        Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of institution or other computing resources or to protect the institution from liability.

        6.0 Exceptions

        Exceptions to this policy must be approved in advance by the Chief Information Officer, at the request of the responsible data asset owner. Approved exceptions must be reviewed and re-approved annually.

        7.0 References

        • Americans with Disabilities Act of 2990
        • Children’s Online Privacy Protection Act of 1998 (COPPA)
        • Electronic Communications Privacy Act
        • Fair Credit Reporting Act (FCRA)
        • Fair and Accurate Credit Transaction Act (FACTA)
        • Federal Information Processing Standard Publication 199 (FIPS-199)
        • Federal Information Security Management Act (FISMA)
        • Freedom of Information Act
        • Gramm-Leach-Bliley Act (15 U.S. Code § 6801)
        • HIPAA
        • NIST Special Publication 800-53 r4
        • Title IV of the Higher Education Act (as amended)