Though colleges and universities today have security measures in place to protect vital information such as firewalls, IDSs, or encryption, these institutions are still being compromised at an alarming and disproportionate rate. Over 30% of information security breaches in the U.S. occur in higher education even though these institutions account for only a small percentage of the total number of U.S. organizations. These breaches can cause serious financial, legal, reputational, and other damage to the institutions and individuals affected. The most prevalent threat to security in colleges and universities is from internal users, such as by staff performing the wrong actions or being unaware.
NVC processes, stores, handles, and transmits vast amounts of personal, sensitive information about numerous individuals, including minors and other entities. As such, federal and state laws require us to establish a data classification framework along with appropriate governance policies, procedures, and programs intended to safeguard personal information. All employees, including part-time, volunteer, and student workers, accessing restricted information must: sign an AUP/confidentiality statement, have fingerprint/background check on file, receive appropriate instruction, and attend regular security awareness training.
Data classified as
Public is suitable for routine public disclosure and use. Security at
this level is the minimum required by NVC to protect the integrity and
availability of this data. Examples of this type of data include, but are not
limited to, data routinely distributed to the public such as publicly accessible
web pages, marketing materials, and press statements.
Internal data is information about NVC or
internal processes that must be guarded due to proprietary or business
considerations, but which is not personally identifiable or otherwise considered
confidential. This classification may apply even if there are no regulatory or
contractual requirements for its protection.
Data in this category is generally available to employees, contractors,
students, or business associates, but is not routinely distributed outside NVC.
Some Internal data may be limited to individuals who have a legitimate
business purpose for accessing the data, and not be available to everyone.
Examples of Internal data may include:
- NVC procedures and manuals
- Organization charts
- Data which is on the internal Intranet (SharePoint), but has not been
approved for external communication
- Software application lists or project reports
- Sensitive building/facility and system plans or equipment locations
- Shared network folders and documents
Restricted data is information that is sensitive in nature, and may be
proprietary, personally identifiable, or otherwise be sensitive. Unauthorized
compromise or disclosure of the information would be likely to cause serious
financial, legal, or reputation damage to NVC, or result in embarrassment or
difficulty for NVC, its employees, or students. Restricted data may be
protected by statutes, regulations, or contractual requirements. Disclosure is
limited to those within NVC on a “need-to-know” basis only. Disclosure to
parties outside of NVC must be authorized by appropriate management and covered
by a binding confidentiality or non-disclosure agreement.
- Personally identifiable (as defined below) information of our employees,
contractors, or students
- HR, employee or payroll records
- Student data
- Audit reports or results
- System and network configuration details, including diagrams, passwords,
programs or other IT-specific documentation
- Intellectual property
- Health records
- Legal documents
To help with classification of data, the process flowchart below can be used
as a guide to help in determining what kind of data you might be working
By law and for purposes of this Administrative Regulation, the term
“personally identifiable information” means an individual’s first name and last
name or first initial and last name in combination with any one or more items of
personal information, such as social security number or other identity
verification number, driver's license number or state-issued identification card
number, student and/or employee ID numbers, financial account number, credit or
debit card number, date or place of birth, and demographics (incl. gender