Information Services Digital Data Classification Policy

1. Purpose
Information technology and data constitute valuable Connecticut College assets. The purpose of data classification is to identify college data and it’s sensitivity. In order to protect the security, confidentiality and integrity of Connecticut College data from unauthorized access, modification, disclosure, transmission or destruction, as well as to comply with applicable state and federal laws and regulations, all of Connecticut Colleges data is classified within security levels, with regulations on the usage, storage, disposal and access of data at different levels.

2.  Scope

Any Connecticut College data residing on college-owned or personal laptops, desktops, servers, handheld devices, external drive, mobile device, USB drive, etc.  It is the responsibility of the data owner to designate and label data classification for information owned, used, created or maintained under their responsibility. 

3.  Definitions and Authority

“Critical data elements” are defined as “the data that is critical to success” in a specific campus business area, or “the data required to get the job done.” Data elements are data attributes used in running the college business. Note that data that is critical in one business area may not be critical in another.

“Data” is defined as information processed or stored by a computer. This information may be in the form of text documents (electronic or printed), images, audio clips, software programs, or other types of data.

“Data dictionary” describes the meaning of a data element, i.e., metadata. Data element definitions are critical for external users of any data system.

“Data Owner” are college officials who have direct operational-level responsibility for the management of one or more types of institutional data.  The delegation of this authority and responsibility is assigned by a Sr. Administrator and are generally deans, directors or managers. 

“Data Custodian”  - An individual who has been authorized to be in physical or logical possession of data by the Data Owner. 

“Data Stewardship Committee” is a planning, procedures and oversight committee composed of campus Data Owners.  They discuss, propose, advocate and review policies and standards surrounding the classification, access and use of data.

“Data User” are college departments or individuals who have been granted access to institutional data in order to perform their assigned duties.

“Personally Identifiable Information (PII)”  is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

4.  Data Classifications

College data is organized into three classifications:  Public, Internal and Restricted. Each level or class of data has its own requirements with respect to safeguards as well as procedures in the event of inappropriate disclosure

Public - low level of sensitivity

Public data is information that may be disclosed to any person regardless of their affiliation with the College.   This data may be publicly accessible but does not require public access. This classification applies to data that does not require any level of protection from disclosure. Example of Public data include:

a. Content and images on Connecticut College’s public web sites and social media (i.e. www.conncoll.edu)

b. Publicly released press statements and marketing materials.

c. External directory information for faculty and staff, unless otherwise restricted. This includes name, title, department, mailing address and Connecticut College email address.

d. Campus events open to the public.

Internal - moderate level of sensitivity

This includes information that requires protection from unauthorized use, disclosure, modification, or destruction. Internal data is not necessarily protected by state or federal law or regulatory standards, but which is potentially sensitive and not intended to be shared with the public. The distribution of Internal data is limited by intention of the author, owner, or administrator.  Internal information should not be disclosed outside of the college without the permission of the data owner or group that created it. 

Examples of Internal data include:

a. Student ID number, Network Account Credentials, Budget Information, Research and Manuscripts, Payroll and Employment Documentation, Donation/Giving History, Systems & Network Diagrams, Strategic Information unique to Connecticut College.

b. Data related to Connecticut College operations, finances, audits, or other activities that are not public in nature. 

c. Personal directory or professional employment information for students, alumni or donors. This includes name, business name, business address, home address, email, cell phone numbers, business phone numbers, home phone numbers, occupations and titles.

d. Personal directory information for faculty and staff. This may include home address, cell phone, home phone, home fax and personal email.

e. Personal characteristics such as gender, sex, height, weight, marital status, nationality, personal interests, photographs and names of children and other demographic information for students, faculty and staff.

f. Connecticut College Network Diagrams which display IP Addresses.

g. Student directory information may be disclosed if deemed appropriate by the FERPA body (registrar’s office).  For example, Dean’s list.

Restricted - confidential and highest level of sensitivity

This includes data protected by state or federal law, contractual agreements and proprietary information against unauthorized use, disclosure, modification and destruction. Highly confidential, restricted data shall be stored on institutionally supported applications residing in the Connecticut College Data Centers, but not in Word, Excel or Access (with the exception of information required for critical business purposes and stored in an approved, secure area). Access to Restricted electronic data shall only be gained through authenticated access on the College network or Virtual Private Network (VPN) access.

Hard copy Restricted data shall be stored in locked receptacles and rooms. Hard copy data shall only be accessed when business requires such use and all storage receptacles and rooms shall be appropriately designed to allow for authorized access only.

Examples of Restricted data include, without limitation, the following:

a. Student records, including date of birth, Social Security Number, Driver’s License Number, Passport ID Number, health information, place of birth, mother’s maiden name, official grades and transcripts recorded on a student’s permanent record, academic information, academic actions, class schedules,  race, judicial information and other information relative to a student’s permanent record (e.g., official grades, judicial records).  

See FERPA Policy.

B.  Any information, including student or employment status, for any student or employee who has requested a “CONFIDENTIAL” status with the Registrar’s Office or Human Resources.  These individuals are flagged as “confidential” in enterprise systems.

b. Human Resources data including employment records, salary, benefits, social security number,  driver’s license and passport ID numbers, personnel evaluations, date of birth, place of birth, mother’s maiden name, home address, race and other records pertaining to personnel files (e.g.,  payroll reports, yearly salary increase data).

c. Academic Affairs information relating to non-public research and promotion and tenure files (including  notes relating to tenure decisions).

d. Alumni or donor information, including date of birth, place of birth, mother’s maiden name, donation amount and assets (e.g., Daily Giving Reports, Donor Profiles).

e. Corporate records including Board of Trustee minutes, Board of Trustee votes and other confidential information dispersed at Board meetings and/or shared with Board members.

f. Sensitive Personal Information including credit checks, criminal background checks, visa numbers, sexual behavior and criminal convictions (e.g., CORI/SORI reports).

g. Information security data, including passwords, and other data associated with security-related incidents occurring at the College.

h. Research data involving human subjects that are subject to the Common Rule (Federal Policy for the Protection of Human Subjects, 46 CFR 101 et seq).

 

Notification Requirements:

Restricted data includes data that is highly confidential and requires notification to subjects and various state, federal and nation-state entities if breached.

Restricted data requiring notification if breached includes: A person's first and last name, or first initial and last name in combination with any one or more of the following data elements relating to that person:

a. Social Security Number;

b. Driver's License Number or state-issued identification card number, including passports;

c. Financial account number (bank, investment, 403B), or credit or debit card number;

d. Health care information, including patient billing or medical records, information about physical or psychological state of health, counseling records, disease, medical history, medical treatment, drugs, therapies, genetic test results, family health or morbidity history;

e. Biometric data including fingerprints, voice prints, retina image, iris image, or other unique physical representation, with the exception of the fingerprints associated with individual fingerprint readers used for securing laptop or desktop computers.

Other data elements that can be associated with an individual (PII), particularly when used in various combinations with regulated data elements, may be treated as Restricted Data, depending on the usage. When assessing data, each data set must be analyzed to determine if any given combination poses a security risk.

 5.  Data Security Guidelines

Security Protection
Public Data
Internal Data
Restricted Data
Guideline(s)
Security Control
DATA CLASSIFICATION
 
 
 
Know the classification of the data you are working with so you can ensure that appropriate data security precautions are employed
Reference the Data Classification Policy to Reference the Data Classification Policy to determine the class of the data you are working with.
Access Controls
 
 
 
Electronic and physical access controls ensure that only authorized individuals can access the data.
The College Identity and Access Management system and application passwords are used to control access to view Internal and Restricted data.
Data Encryption
 
 
 
Encrypt data using college designated tools and technology. Keep encryption keys separate from the systems that contain the data.
Desktops are encrypted with Bitlocker for PC’s and Filevault for Macs. Certificate Authorities protect transmission of data and system backups are stored encrypted
Security Monitoring
 
 
 
Conduct security operations processes to monitor for unauthorized access attempts. Automated access log report.
Security information and event management log and vulnerability scanning are performed by a third party. FireEye technology is used to detect Zero day and Fortinet’s protect the perimeter.



6.  Data Storage and Disposal Guidelines

Location
Data Classification
Data Disposal
On-campus secured network storage (e.g., shared department drives, dedicated secure servers)
Safe for Restricted, Internal and Public data
Electronic internal data can be destroyed using traditional application delete functionality.
Third-party hosted Applications
Third Party hosted applications that store Internal and Restricted data must meet Connecticut College’s Third Party Software as a Service (SaaS) risk standards.
Archival and removal processes are pre-established at the time of the SaaS agreement.
College-owned computer hard drive (i.e., laptop, tablet, desktop)
Safe for Internal and Public data. Use for Restricted data must be cleared with Data Owner and data must be encrypted.
Drives must be erased in compliance with NIST SP 800-88 Rev. 1 standard.
Connecticut College Gmail, including attachments
Safe for Internal and Public data; NOT safe for Restricted Data
Gmail can be deleted and will be removed from Trash after 30 days.
Connecticut College Google Drive and Team Drives
Safe for Restricted Data, Internal and Public data. Must be labeled for classification.
Drive file ownership can be transferred to supervisors or new hires
Portable device storage (e.g., smart phone, tablet, laptop, USB drive)
Safe for Internal and Public data Use for Restricted Data must be cleared with Data Owner and data security features enabled.
Portable data drives used for this purpose must be erased using NIST SP 800-88 Rev. 1 standard.
Hard Copies
Internal and Restricted data shall be maintained in as few receptacles and rooms as business dictates. Copies of this data shall not generally be made unless business requires it.
Required to dispose of in Shred container systems located in offices around campus.

Electronic Data Transmittal

If Internal or Restricted data is transmitted on a recurring basis to external vendors, it must be sent through secure transmissions such as secure FTP (SFTP).

All departments shall have policies in place and periodically review electronic storage areas and their hard copy storage areas to insure that data is being destroyed in a timely and effective manner.

6.  Non-Compliance

6.1 Compliance Measurement

The ETS/Information Services will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, application tools reports, internal and external audits, and feedback.

6.2  Exceptions
Any exception to the policy must be approved by the Information Security Office in advance and documented in accordance with the Information Security Exceptions Tracking procedure.

6.3  Non-Compliance
Non-compliance of this policy and procedures, may result in disciplinary action, following the usual disciplinary processes of the College for faculty and staff.  The Vice President of the Administration Division will determine whether to initiate the disciplinary process.

 

References:

Confidential-restricted data access flow

Information Services Litigation Hold Policy

Records Management Program and Policy

FERPA Policy

Data Classification Identification and Labeling Procedure (to be written)

** Approval Date: This policy was approved on May 14, 2019.