Data Classification Standard
1. Overview
Â鶹ÊÓƵAPK (UA) is committed to protecting the information that it holds. Improper access and storage of data is a significant security and compliance risk to the university and must be mitigated.
2. Purpose
This standard outlines the current sensitivity classifications for UA data. It is UA’s responsibility to implement this standard to help users protect UA’s institutional data.
Certain statutes and regulations may require additional standards and procedures beyond the basic data handling guidelines for each classification defined here. Examples of these statutes and regulations include but are not limited to:
- FERPA – Family Educational Rights and Privacy Act
- GDPR – General Data Protection Regulation
- HIPPA – Health Insurance Portability and Accountability Act
- PCI-DSS – Payment Card Industry Data Security Standard
- Research involving CUI – Controlled Unclassified Information
3. Scope
This standard applies to all data collected, stored, or processed by university employees or by third parties via contractual agreements with university departments or units.
4. Definitions
- Data Owner – The individual or group who has accountability and authority to make decisions about a specific set of data. The Data Owner is responsible for the function or functions that collect and use the information, determines the levels of protection for the information, makes decisions on appropriate use of the information, and determines the appropriate classification of the information. This role generally falls to a functional academic or administrative area such as the Registrar, Human Resources, or the offices of the CFO and Provost.
- Data Steward – The person who is identified by the Data Owner to act, and to approve or deny access to data, on behalf of the Data Owner.
- Date Custodian – The persons or unit responsible for implementing controls the Data Owner identifies. This role often includes Information Technology Services or departmental technology support.
- Data User – Any person who interacts with the data. This includes people or programs that create, update, read, or delete information.
- Protected Institutional Data – Any information classified as more restricted than Public use by this standard.
5. Standards
- Data and Risk Classifications
- The university has defined four levels of data classification, Public, Internal, Restricted, and Critical.
- Public - Public data is data that is intended to be made available to the general public or is approved for publication.
- Examples:
- Public facing websites
- Campus maps
- Directory data that the student has not specified as restricted
- Faculty/staff directory data
- Examples:
- Internal - Internal data is the default classification category. Internal use data is not intended for public consumption but does not fit into a more restrictive category. Disclosure of Internal use data would not significantly harm the university. Access to Internal use data is determined by business process need.
- Examples:
- Fixed asset details
- EmplID Numbers
- UANet ID / email address
- Admissions applications
- Employee offer letters
- Faculty tenure recommendations
- Anything not Public, Private, or Restricted
- Examples:
- Private - Private data is classified as private due to legal, regulatory, administrative, or contractual requirements; intellectual property or ethical considerations; strategic or proprietary value; and/or other special governance of such data. Access to, and management of, private data requires authorization and is only granted to those data users as permitted under applicable law, regulation, contract, rule, policy, and/or role.
- Examples:
- Last 4 digits of SSN
- Grades/GPA/Transcripts (FERPA)
- Home addresses
- Controlled unclassified information (CUI)
- NDA data
- Research data
- Research compliance data (ITAR, EAR)
- Detailed floor plans showing gas, water, and sprinkler shut-offs, as well as locations of hazardous materials
- Examples:
- Restricted - Restricted data is data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements. Access to, and management of, restricted data is strictly limited as unauthorized use or disclosure could substantially or materially impact the university’s mission, operations, reputation, finances, or result in potential identity theft.
- Examples:
- Social Security Numbers (SSN)
- Credit Card Numbers (PCI-DSS)
- Personal Identifiable Information (PII)
- HIPAA data
- Protected Health Information (PHI)
- Government ID information
- Financial account information / Student loan information (GLBA)
- Donor information
- Passwords, passphrases, PIN numbers, security codes, and access codes
- Examples:
- Public - Public data is data that is intended to be made available to the general public or is approved for publication.
- Each level of classification represents a specific set of technical and procedural security controls that will help reduce the risks of mishandled information.
- Data that has not yet been classified shall be considered Internal Use until the data owner and/or data steward assign(s) an appropriate classification
- The university has defined four levels of data classification, Public, Internal, Restricted, and Critical.
- The classification of data is independent of its format. Physical copies of data shall be treated with the same level of confidentiality as digital records.
- Questions regarding the classification or handling of data should be directed to the appropriate Data Owner, Data Steward, immediate supervisor, departmental or college IT staff, zone tech, or ITS Security Services. Departmental or college IT staff or zone techs, in coordination with ITS Security Services, can assist departments in developing appropriate controls and processes to protect Protected Institutional Data.
- Roles and Responsibilities
- To ensure proper information management, UA employees and students must be aware of the classification of any information that they encounter and the associated risks and procedures for handling the information.
- Data Owners are responsible for the function(s) that collect and use the information, determining the levels of protection for the information, making decisions on the appropriate use of the information, determining the appropriate classification of the information, and assigning Data Steward(s) as their delegates where appropriate.
- Data Stewards are responsible for reviewing and approving access to data under their authority and for acting on behalf of the Data Owner as appropriate.
- Data Custodians are responsible for ensuring the implementation of controls as appropriate for the level of classification.
- Data Users are responsible for understanding the classifications for the information that they are permitted to access and for ensuring the safe handling of the information.
- Units/Departments are responsible for documenting their policies, procedures, and architectures that involve the collection, processing, storage, and analysis of information. This documentation should detail the types of information created, stored, read, or modified and their associated classifications; account creation and deletion; records retention and destruction, consistent with applicable University records retention policies; backup strategies; and other relevant procedures.
- Sensitive Server and Service Registration
- UA tracks servers containing sensitive data. Units/Departments must document and inform ITS Security Services of any servers in their possession that contain Protected Institutional Data, as well as any contracted services that require them to share Protected Institutional Data.
- Data Handling
- The ITS Data Access Policy defines protocols and procedures for governing authorized access to Protected Institutional Data.
- The ITS Secure Access and Data Storage Standard defines the general guidance for accessing, storing, and transmission of Protected Institutional Data.
- Incident Reporting
- Unauthorized access to Protected Institutional Data must be reported to the Chief Information Security Officer (CISO) immediately by submitting an email to security@uakron.edu or by calling the ITS Help Desk at (330) 972-6888.
6. Standard Compliance
- Roles and Responsibilities
- Each university department/unit is responsible for implementing, monitoring, reviewing and updating its internal policies and practices to ensure compliance with this Standard.
- The Chief Information Officer is responsible for enforcing this standard.
- Non-Compliance
- An employee or student who knowingly violates this Standard or any applicable University policy applicable to data security, and/or in any way intentionally breaches the confidentiality of Protected Institutional Data, may be subject to appropriate disciplinary action or sanctions.
7. Related Documents
University Rule 3359-11-08: Policies and Procedures for Student Records
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
University Rule 3359-11-10.4: Customer Information Security Policy
University Rule 3359-11-10.6: Social Security Number Use Policy
University Rule 3359-11-10.8: Identity Theft Detection, Prevention, and Mitigation Policy
University Rule 3359-11-11.1: Electronic Records Retention
University Rule 3359-11-19: Policies and Procedures for Release, Privacy, and Security of Selected Health Information
ITS: Data Access Policy
ITS: Secure Access and Data Storage Standards
8. Standard History
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 03/09/2022
Prior Effective Dates: 06/09/2021
Review Date: 06/01/2023