ISP-09 - Data Classification Policy

DATA CLASSIFICATION POLICY


 

Policy Objective

Purpose

Data classification standards are crucial to formalize the classification, protection, and handling expectations/requirements of data within Parkland College. Without formal measures in place, data may be mishandled, leaked, and/or lost, causing significant damage to the organization.

These standards exist in addition to all other Parkland policies and federal and state regulations governing the protection of the College’s data. Compliance with these classification standards will not ensure that data will be appropriately secured. Instead, these standards should be integrated into a comprehensive information security plan.


 

Scope

All data stored, processed, used, accessed, or otherwise interacted with on behalf of Parkland College.

Policy

Policy Statement

Parkland College is committed to protecting people and institutional data and complying with data security and privacy laws and guidelines. In the context of information security, data classification is the cataloging of data based on its level of sensitivity, and the impact to the College should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels or classifications: Confidential, Private, and Public.


 

Section 1 – Data Classification Levels


 

Classification Level

Definition

Examples

Confidential 

(login required)

Sensitive data that requires special handling procedures. The unauthorized disclosure, alteration, or destruction of Confidential data could cause a significant level of risk to the College or its affiliates. The highest level of security controls should be applied to Confidential data.

  • Personally, Identifiable Information (PII)

  • Credit card information

  • Social security numbers

  • Personally Identifiable Education Records

  • Protected Health Information (“PHI”)

Private

This data is for internal use only. Unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the College or its affiliates. A reasonable level of security controls should be applied to Private data. An example of Private data includes the majority of internal emails.

  • Earnings

  • Timesheets

  • Memos

  • Employee application records

Public 

(login required)

Unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the College and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is necessary to prevent unauthorized modification or destruction of Public data.

  • Press releases

  • Public access website pages

  • Brochures


 

Section 2 – Roles and Responsibilities

The data classification framework, standards, and scheme are defined by the Parkland College Infrastructure and Security Committee and maintained by the CIO/CISO office. Data identification and classification are coordinated by the Data Governance Working Group (DGWG) and associated department(s). Data definition and classification are tracked in the Parkland College Data Dictionary. Data owners/stewards ensure that the data they are responsible for is appropriately classified, periodically review and assess data classifications, and adjust as required.

Section 3 – Confidential Data

Parkland College defines several types of Confidential data based on state and federal regulatory requirements. The description of such data is as follows:

1.

Authentication Verifier

An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared amongst a small group of individuals. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:

  • Passwords

  • Shared secrets

  • Cryptographic private keys

2.

Covered Financial Information

The College is in compliance with the Gramm-Leach-Bliley Act (GLBA) and undergoes financial audits and reviews regularly. All information addressed in the GLBA is covered financial information.

3.

Electronic Protected Health Information (“EPHI”)

EPHI is defined as any Protected Health Information (“PHI”) that is stored in or transmitted by electronic media. For this definition, electronic media includes:

  • Electronic storage media includes computer hard drives and any removable and/or transportable digital memory media, such as magnetic tape or disk, optical disk, or digital memory card.

  • Transmission media used to exchange information already in electronic storage media.  Transmission media includes, for example, the Internet, an extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable and/or transportable electronic storage media. Certain transmissions, including paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission.

4.

Export Controlled Materials

Export Controlled Materials is defined as any information or materials that are subject to the United States export control regulation. Such regulations include, but not limited to, the Export Administration Regulations (EAR) published by the U.S. Department of Commerce and the International Traffic in Arms Regulations (ITAR) issued by the U.S. Department of State.

5.

Federal Tax Information ("FTI")

FTI is defined as any return, return information, or taxpayer return information that is entrusted to the College by the Internal Revenue Services. See Internal Revenue Service Publication 1075 Exhibit 2 for more details.

6.

Payment Card Information

Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

  • Cardholder name

  • Service code

  • Expiration date

  • CVC2, CVV2 or CID value

  • PIN or PIN block

  • Contents of a credit card’s magnetic stripe

7.

Personally Identifiable Education Records

Personally Identifiable Education Records are defined as any Education Records that contain one or more of the following personal identifiers:

  • Name of the student

  • Name of the student’s parent(s) or other family member(s)

  • Social security number

  • Student number

  • A list of personal characteristics that would make the student’s identity easily traceable

  • Any additional information or identifier that would make the student’s identity easily traceable

8.

Personally Identifiable Information

To meet security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

  • Birthdate

  • Home Address

  • Social security number

  • State-issued driver’s license number

  • State-issued identification card number

  • Financial account number in combination with a security code, access code or password that would permit access to the account

  • Medical and/or health insurance information

9.

Protected Health Information (“PHI”)

PHI is defined as “individually identifiable health information” transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium by a Covered Component. PHI is considered individually identifiable if it contains one or more of the following identifiers:

  • Name

  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct, or zip code)

  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)

  • Telephone numbers

  • Fax numbers

  • Electronic mail addresses

  • Social security numbers

  • Medical record numbers

  • Health plan beneficiary numbers

  • Account numbers

  • Certificate/license numbers

  • Vehicle identifiers and serial numbers, including license plate number

  • Device identifiers and serial numbers

  • Universal Resource Locators (URLs)

  • Internet protocol (IP) addresses

  • Biometric identifiers, including finger and voiceprints

  • Full face photographic images and any comparable images

  • Any other unique identifying number, characteristic or code that could identify an individual

10.

Controlled Technical Information (“CTI”)

Controlled Technical Information means “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination” per DFARS 252.204-7012.

11.

For Official Use Only (“FOUO”)

Documents and data labeled or marked For Official Use Only are a pre-cursor of Controlled Unclassified Information (CUI) as defined by National Archives (NARA)

12.

Personal Data from the European Union (EU)

The EU’s General Data Protection Regulation (GDPR) defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier including

  • Name

  • An identification numbers

  • Location data

  • An online identifier

  • One or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person

Any personal data that is collected from individuals in the European Economic Area (EEA) countries is subject to GDPR. 


 


 


 

Standards:

 

ISP-09 - Data Classification Standard (login required)

Print Article

Details

Article ID: 156042
Created
Wed 5/31/23 3:33 PM
Modified
Wed 5/31/23 4:29 PM

Related Articles (1)

Definitions of terms used across policies and standards