Data Classification

DEFINITIONS:

• Confidentiality: The state of information being kept secret and protected from unauthorized disclosure.
• Data User: Any individual who accesses and uses Institutional Data as part of their assigned duties or roles within the ICOM community.
• Institutional Data: All data and information, regardless of format or medium, created, received, maintained, or transmitted by ICOM in support of its mission and operations.
• Integrity: The state of information being complete, accurate, and consistent, and protected from unauthorized modification or destruction.
• Availability: The state of information being accessible and usable on demand by authorized individuals.
• Restricted Data: Data classified as requiring the highest level of protection due to legal, contractual, or regulatory requirements. Unauthorized disclosure or modification could cause significant harm and require mandatory reporting. Examples include Personal Health Information (PHI), Personally Identifiable Information (PII) such as Social Security Numbers, financial account or payment card information, and authentication credentials.
• Confidential Data: Data classified as requiring a high level of protection because unauthorized disclosure, alteration, or destruction could cause significant risk or harm to ICOM or its affiliates. This information is typically intended for internal use and shared on a need-to-know basis. Examples include student academic records (non-directory information), personnel records (non-public), and internal financial data.
• Internal Data: Data classified as intended for use within the ICOM community. While not highly sensitive for public disclosure, it requires protection from unauthorized modification or misuse. Sharing with external parties typically requires authorization. Examples include internal policies and procedures, departmental budgets, and internal communications.
• Public Data: Data classified as intended for free and open dissemination, posing minimal risk if disclosed. Examples include press releases, course catalogs, and published research findings.
• Personally Identifiable Information (PII): Any information that can be used to identify, contact, or locate a single person, or can be used with other sources to uniquely identify a single individual.
• Protected Health Information (PHI): Individually identifiable health information protected by the Health Insurance Portability and Accountability Act (HIPAA).
• Availability: Ensuring timely and reliable access to and use of information.

POLICY:

Data Classification Framework: All institutional data will be classified into one of the following categories based on its sensitivity and the potential impact of unauthorized disclosure, alteration, or destruction:

• Restricted Data: Data classified as Restricted requires the highest level of protection due to legal, contractual, or regulatory requirements. Unauthorized disclosure or modification of Restricted data would likely necessitate mandatory reporting to external authorities and/or affected individuals and could result in significant harm to the institution or individuals. Examples of Restricted Data include:
  • Protected Health Information (PHI)
  • Personally Identifiable Information (PII), such as Social Security Numbers
  • Financial account numbers and payment card information
  • Authentication credentials (usernames, passwords)
  • Authorization information for electronic resources

Security Requirements: Restricted Data must be protected with the most stringent security controls, including but not limited to mandatory encryption in transit and at rest, strict access controls based on least privilege and need-to-know, multi-factor authentication, comprehensive audit logging, and specialized data handling procedures.

• Confidential Data: Data classified as Confidential requires a high level of protection because unauthorized disclosure, alteration, or destruction could cause significant risk or harm to the College or its affiliates. Confidential data is intended for internal use and should be shared only on a "need-to-know" basis with authorized individuals. Disclosure to unauthorized persons may violate laws, regulations, or institutional contracts. Examples of Confidential Data include:
  • Data protected by state or federal privacy regulations (where not classified as Restricted)
  • Data protected by confidentiality agreements
  • Student academic records (where not public directory information)
  • Personnel records (non-public)
  • Internal financial data (non-public)
  • Strategic planning documents

Security Requirements: Confidential Data must be protected with robust security controls, including but not limited to: encryption in transit and at rest (where feasible and appropriate), strong access controls based on least privilege and need-to-know, multi-factor authentication for sensitive access, audit logging, and secure data handling procedures.

• Internal Data: Data classified as Internal is intended for use within the College community. While not considered highly sensitive in terms of public disclosure, it still requires protection from unauthorized modification or misuse. Sharing Internal data with individuals outside the College community requires authorization from the relevant Data Owner or Data Steward. Examples of Internal Data include:
  • Internal policies and procedures
  • Departmental budgets and operational plans
  • Internal communications and memos
  • Unpublished research data

Security Requirements: Internal Data should be protected with reasonable security controls, including but not limited to: access controls to prevent unauthorized modification, secure storage practices, and protection against accidental or malicious deletion.

• Public Data: Data classified as Public is intended for free and open dissemination and can be shared with individuals both inside and outside the College community without restriction, in accordance with applicable regulations. Unauthorized disclosure, alteration, or destruction of Public data would pose minimal risk to the College. Examples of Public Data include:
  • Press releases and public announcements
  • Course catalogs and publicly available course information
  • Published research findings and scholarly articles
  • Directory information (as defined under FERPA, if designated public)

Security Requirements: While confidentiality is not a primary concern for Public Data, controls are still needed to maintain data integrity and availability and prevent unauthorized modification or destruction. Appropriate controls may include version control, website security measures, and backup and recovery procedures.

Default Classification: Unless explicitly classified otherwise by a Data Owner or Data Steward, all institutional data will be treated as Confidential Data by default and protected accordingly. Once data is classified, Data Users should refer to the Data Classification Matrix for guidance on appropriate use, storage, and sending methods.

Data Integrity and Availability Considerations: While this policy primarily focuses on data classification for confidentiality and integrity, the availability of data and information systems is also critical. Information systems will be categorized to reflect their importance to institutional operations:

• Non-Critical Systems: Information systems where unavailability, unauthorized modification, loss, or destruction would cause minor, temporary inconvenience and limited recovery costs. These systems still require basic security measures, such as physical security, access controls, and regular backups.
• Critical Systems: Information systems where unavailability, unauthorized access/modification, loss, or destruction could cause significant disruption to institutional operations, reputational damage, financial loss, legal/regulatory non-compliance, or adverse impacts on the college community. Critical Systems require robust security controls, redundancy, disaster recovery planning, and business continuity plans.

Data Validation: Data Stewards, in collaboration with relevant departments, are responsible for developing and implementing procedures for data validation to ensure data accuracy and quality within their areas of responsibility.

Disaster Recovery and Business Continuity: A Disaster Recovery Plan and/or Business Continuity Plan must be developed, documented, deployed, and tested at least annually for Critical Systems to ensure the recovery of essential data and systems in the event of a disaster or major disruption.

Security Measures: Security measures for each data classification level and for critical/non-critical systems will be defined and implemented by Data Custodians (IT), working in cooperation with Data Owners and Data Stewards, based on institutional security policies and standards.

Responsibilities

The following roles and responsibilities are established for the implementation and maintenance of this Data Classification Policy:

• Data Owner: The President or appropriate designee (CIO, Vice President, etc.) who has policy-level responsibility and management oversight for a broad category of institutional data. Data Owners are responsible for:
  • Assigning Data Stewards for their data domains.
  • Participating in the development and review of data classification policies and standards.
  • Ensuring Data Stewards and Data Custodians have access to necessary resources.
  • Promoting effective data resource management across the institution.
• Data Steward: A College official (typically a department director or manager) who has operational-level responsibility for specific data collections within their functional area. Data Stewards are responsible for:
  • Implementing data classification policies and procedures within their departments.
  • Defining and enforcing data access controls and data handling procedures for data within their stewardship.
  • Developing and implementing data validation procedures to ensure data quality.
  • Authorizing data access requests according to defined policies and need-to-know principles.
• Data Custodian: The Information Technology (IT) department serves as the Data Custodian for the institution's data. Data Custodians are responsible for:
  • Providing and maintaining a secure IT infrastructure to support data storage, processing, and transmission.
  • Implementing and administering security controls to protect data confidentiality, integrity, and availability, based on data classification and security policies.
  • Providing physical security for IT infrastructure.
  • Implementing and maintaining backup and recovery processes.
  • Granting and managing user access privileges to systems and data as authorized by Data Owners or Data Stewards.
• Data User: Any individual who accesses and uses institutional data as part of their assigned duties or roles within the College community. Data Users are responsible for:
  • Using institutional data ethically and responsibly, in accordance with all applicable policies and laws.
  • Protecting the security and confidentiality of data they access.
  • Adhering to data access and handling procedures.
  • Reporting any suspected security incidents or data breaches.