PURPOSE:
The Data Security Policy is intended to help employees determine the sensitivity and confidentiality level of information. Sensitive data should be handled in such a manner as to limit the risk of data loss, theft, or leakage of sensitive information.
This policy applies to information that is stored or shared in any way. This includes, but is not limited to: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
These guidelines explain the different levels of information sensitivity and illustrate common sense steps that you can take to protect ICOM's confidential information (e.g., confidential information should not be left unattended in conference rooms).
Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the department of Information Technology and administration.
SCOPE:
This policy applies to data safeguarded both by ICOM and/or by third-party vendors and contractors working with ICOM. This policy also covers data stored on all computer systems, network devices, third-party applications, and any additional systems and outputs containing or transmitting ICOM data.
DEFINITIONS:
-
Physical Security - Physical security means either having actual possession of an item at all times, or locking it in an unusable state to an object that is immovable. If it is a laptop or other portable computer or storage device, never leave it alone in a conference room, hotel room, or on an airplane seat, etc. In the office, always lock your door when not in use. When leaving the office for the day, secure laptops, and any other sensitive material in a locked drawer or cabinet. Paper materials of this nature should be kept in a locked cabinet.
POLICY:
All ICOM data will be assigned to one of the following categories in accordance with the Data Classification
Policy:
▪ Public: Low Sensitivity
▪ Internal: Moderate Sensitivity
▪ Confidential: High Sensitivity
▪ Restricted: High Sensitivity
Public information is information that has been declared public knowledge by the College, and
can freely be given to anyone without any possible damage to ICOM.
Internal information is information available only to ICOM employees and students. Examples of
such information are online directory, intranet content, and email. For non-electronic documents
this includes business plans or projects.
Confidential information is information that should be protected very closely, such as student
records, employee records, and any other personal information classified as such under
applicable state and federal laws. If an employee is uncertain of the sensitivity of a particular
piece of information, he/she should contact his/her manager or the appropriate Data Steward.
Restricted information is information that should be protected very closely, such as Personally
Identifiable Information (PII), financial account or payment card information, social security
numbers, and any other personal information classified as such under applicable state and
federal laws. If an employee is uncertain of the sensitivity of a particular piece of information,
he/she should contact his/her manager or the appropriate Data Steward..Level Two--Non-
Public/Internal
RESPONSIBLE OFFICIALS:
Chief Information Officer/Information Security Authority, Faculty, Staff, and Students
POLICY OWNER:
Chief Information Officer/Information Security Authority
APPROVAL:
Effective: /7/21
Last Reviewed: 1/25/24
Review Requirement: Annual