Skip to main content
uniE610
Jump to Footer

Data Classification

SU Policy Number: 601-013.3

ORIGINATING OFFICE
Office of Educational Intelligence & Technology

PURPOSE
This policy establishes direction regarding the privacy, security, integrity, and availability of Shippensburg University data, and the responsibilities of institutional units and individuals for such data. The policy applies to all SU faculty, staff, students, visitors, contractors, and volunteers

SCOPE
Shippensburg University maintains data essential to the performance of university business. All members of the campus community have a responsibility to protect university data from unauthorized generation, access, modification, disclosure, transmission, or destruction.

OBJECTIVE
All data within the University shall be assigned one of the following classifications.

DEFINITIONS
1. Data Classifications:

  • a. Restricted Data: Data are considered restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant financial and reputational risk to the University and/or significant risk of theft of individual identity information. Restricted data require the highest level of security controls. Restricted data include data that the university must keep private under federal, state, or local laws and regulations, or based on its proprietary worth. Restricted data may be disclosed to individuals on a strict need-to-know basis only, where law permits.
  • b. Confidential Data: Data are considered confidential when the unauthorized disclosure, alteration or destruction of that data could cause a high financial and reputational risk to the University and/or moderate risk of theft of individual identity information. Confidential data require a high level of security controls. Confidential data include data that the university must keep private under federal, state, or local laws and regulations, or based on its proprietary worth. Confidential data may be disclosed to individuals on a strict need-to-know basis only, where law permits.
  • c. Sensitive Data: Data should be classified as Sensitive when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of financial and reputational risk to the University and a low risk of theft of individual identity information. By default, all University data that is not explicitly classified as Restricted, Confidential or Public should be treated as Sensitive Data. Access is limited to members of the university community on a need-to-know basis and these data are not generally available to external parties. 
  • d. Public Data: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University. Public Data have no legal or other restrictions on access or usage and may be open to the university community and the general public. While little or no controls are required to protect the confidentiality of Public data, controls are required to prevent unauthorized modification or destruction of Public data.

2. Data Roles:

  • a. Data Owner: Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for use and protection of university data.
  • b. Data User: Any member of the university community that has access to university data and this is entrusted with the protection of that data.

POLICY
This policy assists SU employees and contractors in the assessment of data to determine the level of security, which should be implemented to protect that data. This applies to paper and electronic copy where the data is stored. All data should be classified into four levels of security, Restricted, Confidential Sensitive, and Public. Once data has been classified, appropriate safeguards should be implemented to protect data from theft, loss, and/or unauthorized disclosure, use, access, and/ or destruction. Appropriate safeguards including encryption are found in related policies and guidelines.

Although a large portion of university data is available for the public, some data have restrictions due to privacy protections mandated by federal, state or local regulations and laws, ethical considerations, and proprietary worth. To comply with these mandates and protect the SU community, SU has the right and obligation to protect: the confidentiality, integrity, and availability of data under its purview. Data can also be classified based on the application of the Right to Know Law. The classification level assigned to data will provide guidance to data custodians and others who may collect, process, or store data.

RESPONSIBILITIES
Data owners are responsible for appropriately classifying data, controlling internal access to data and approving transfer of data to third parties. Data owners are listed in Appendix A.

All members of the university community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored, or used by the university, irrespective of the medium on which the data reside and regardless of format (such as in electronic, paper, or other physical form).

PROCEDURES
Data Classification - The university classifies data into the appropriate category. Data are assets belonging to the university and should be classified according to the risks associated with the data being stored or processed. Restricted and confidential data require the highest levels of protection to prevent unauthorized disclosure or use. Data, which are sensitive or public, may be given proportionately less protection. Data are generally stored in collections (i.e., databases, files, tables, etc.) Often these collections do not segregate the more sensitive data elements of a collection from the less sensitive data. Therefore, in determining the classification category, the most sensitive data element in the collection should be used to classify the entire collection. If there is uncertainty regarding the category of the data, the higher level of safeguards should be applied.

Examples of all data types are listed in Appendix B.

DATA SAFEGUARDS. SU entities should implement appropriate managerial, operational, physical, and technical safeguards for access to, use of, transmission of, and disposal of university data. Restricted and Confidential Data require the highest level of protection. If there is uncertainty regarding the category of the data the higher level of safeguards should be applied. 
1. This policy’s appendix provides examples; however, the university may implement guidelines and policies more restrictive than the ones identified. 
2. Using the categories Restricted, Confidential, Sensitive, or Public, all university data should be classified.
3. Following initial classification, university data should remain classified at the initial level or reclassified as needed due to changes in usage, sensitivities, law or other relevant circumstances.
4. Data should be protected in accordance with the security controls specified for the classification level that it is assigned. 
5. The classification level and associated protection of replicated data should remain consistent with the original data [e.g. (i) Restricted HR data copied to a CD-ROM, or other removable media (e.g. flash drive), or from one server to another, retains its Restricted classification; 
(ii) printed copies of Restricted Data are also Restricted].
6. Any physical or logical collection of data, stored, in transit, or during electronic transfer (e.g. file, database, emails and attachments, filing cabinet, backup media, electronic memory devices, sensitive operation logs or configuration files) containing differing classification levels should be classified as a whole at the highest data classification level within the collection. Any data subset that has been separated from any such collection should be protected in accordance with the protection specified for the classification level of the data subset if assigned; otherwise, the data subset retains the classification level of the original collection and requires the same degree of protection. 
7. Destruction of data (electronic or physical) or systems storing data should be done in accordance with Records Retention and Asset Management policies and guidelines.
8. Before systems or media are reused they should be wiped according to National Institute of Standards and Technology (NIST) Special Publication 800-88 “purge” guidelines to ensure no residual data.

Safeguards for Restricted Data
1. Must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
2. Should be labeled Restricted Data.
3. When stored in an electronic format should be protected with strong passwords and stored on electronic devices that have protection and encryption measures
4. When export from a secure information system is required, only the university X: drive may be used for network drive storage.
5. May not be shared with third parties unless a University Data Security agreement has been executed with the third party.
6. Any electronic transmission must occur via secure and encrypted means.
7. May not be stored on third-party cloud-based file storage solutions, such as OneDrive, Google Drive, Box, and Dropbox.
8. May not be sent via email.
9. May only be disclosed on a strict need-to-know basis and consistent with applicable policies and statutes.
10. Should be stored only in a locked drawer or room or an area where access is controlled using sufficient physical access control measures to detect and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know. 
11. When sent via fax, should be sent only to a previously established and used address or one that has been verified as using a secured location.
12. Must not be posted on any public website.
13. Should be destroyed when no longer needed in accordance with university policies, guidelines or statutes.

Additional safeguards for Credit Card Data
1. All divisions that process or store cardholder data and have access to the information as a result of Internet, mail, fax, or telephone acceptance of credit card account information are required to comply with the American Express, Discover, VISA USA, and Master Card International operating regulations and the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is intended to protect cardholder data in the card-not-present industry. A card-not-present transaction can include Internet, mail, fax, or telephone acceptance of credit card account information. 
2. Comprehensive information on PCI requirements and merchant levels may be found on the PCI Security Standards Council Web site at the following link: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
3. Information on merchant levels, penalties for violation, and frequency of required security assessments is available at the following page on the Visa Web site: https://usa.visa.com/support/small-business/security-compliance.html
4. All third-party vendors that divisions use to fulfill PCI compliance will be retained at the division’s expense.

Safeguards for Confidential Data
1. Must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
2. Should be labeled Confidential Data.
3. When stored in an electronic format should be protected with strong passwords and stored on electronic devices that have protection and encryption measures
4. When export from a secure information system is required, the university S:, T: or X: drive may be used for network drive storage.
5. Should not be shared with third parties unless a University Data Security agreement has been executed with the third party. Any exceptions to this requirement must be approved in writing by the vice president of the division contracting for services with the third party.
6. Any electronic transmission must occur via secure and encrypted means.
7. May be stored on university-procured third-party cloud-based file storage solutions, such as One Drive. 
8. May not be stored on non-University-procured third-party cloud-based file storage solutions, such as Google Drive, Box, and Dropbox.
9. Bulk confidential data may be sent via email to authorized third-parties using university-supplied encryption tool. Bulk data to university entities should not be sent via email. Single records of confidential data may be sent to and from university email accounts.
10. May only be disclosed on a strict need-to-know basis and consistent with applicable policies and statutes.
11. Should be stored only in a locked drawer or room or an area where access is controlled using sufficient physical access control measures to detect and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know. 
12. When sent via fax, should be sent only to a previously established and used address or one that has been verified as using a secured location.
13. Must not be posted on any public website.
14. Should be destroyed when no longer needed in accordance with university policies, guidelines or statutes.

Safeguards for Sensitive Data
1. Should be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
2. Should be stored in a controlled environment (i.e. file cabinet or office where physical controls are in place to prevent disclosure) when not in use.
2. Should not be shared with third parties unless a University Data Security agreement has been executed with the third party. . Any exceptions to this requirement must be approved in writing by the vice president of the division contracting for services with the third party.
3. Any electronic transmission must occur via secure and encrypted means.
4. Bulk confidential data may be sent via email to authorized third parties using university-supplied encryption tool. Bulk and single records of confidential data may be sent to and from university email accounts.
1. Should not be posted on any public website unless prior approval is given by External Relations and Office of Legal Counsel.
2. Should be destroyed when no longer needed in accordance with the Records Retention and Asset Management policies and guidelines.

Safeguards for Public Data
Public data are available to the public. Protection considerations should be applied to maintain data integrity and prevent unauthorized modification of such data. Safeguards for Public Data may include:
1. Storage on an appropriately secured host.
2. Appropriate integrity protection.
3. Redundant systems to maintain availability as appropriate.
4. Retention according to public record requirements.
5. Appropriate recovery plan.

RECISSION
Not applicable.

APPROVALS
President’s Cabinet December, 10, 2012 
President’s Cabinet January 26, 2015 (Revision 13.1)
President’s Cabinet June 29, 2016 (Revision 13.2)
Executive Management Team September 25, 2019 (Revision 13.3)

FILENAME:
601-013.3 Data Classification

DATE:
9/25/2019

DISTRIBUTION: 
Employees

Contact the Administration and Finance Department

Old Main 301 1871 Old Main Drive Shippensburg, PA 17257 Phone: 717-477-1375 Fax: (717) 477-4004
Monday - Friday 8:00 a.m. to 4:30 p.m.