Institutional Technology

Data Classification Standards

Problem

Though colleges and universities today have security measures in place to protect vital information such as firewalls, IDSs, or encryption, these institutions are still being compromised at an alarming and disproportionate rate. Over 30% of information security breaches in the U.S. occur in higher education even though these institutions account for only a small percentage of the total number of U.S. organizations. These breaches can cause serious financial, legal, reputational, and other damage to the institutions and individuals affected. The most prevalent threat to security in colleges and universities is from internal users, such as by staff performing the wrong actions or being unaware.

Purpose
NVC processes, stores, handles, and transmits vast amounts of personal, sensitive information about numerous individuals, including minors and other entities. As such, federal and state laws require us to establish a data classification framework along with appropriate governance policies, procedures, and programs intended to safeguard personal information. All employees, including part-time, volunteer, and student workers, accessing restricted information must: sign an AUP/confidentiality statement, have fingerprint/background check on file, receive appropriate instruction, and attend regular security awareness training.

Public Data
Data classified as Public is suitable for routine public disclosure and use.  Security at this level is the minimum required by NVC to protect the integrity and availability of this data.  Examples of this type of data include, but are not limited to, data routinely distributed to the public such as publicly accessible web pages, marketing materials, and press statements.

Internal Data
Internal data is information about NVC or internal processes that must be guarded due to proprietary or business considerations, but which is not personally identifiable or otherwise considered confidential.  This classification may apply even if there are no regulatory or contractual requirements for its protection. 

Data in this category is generally available to employees, contractors, students, or business associates, but is not routinely distributed outside NVC.  Some Internal data may be limited to individuals who have a legitimate business purpose for accessing the data, and not be available to everyone.  Examples of Internal data may include:

  • NVC procedures and manuals
  • Organization charts
  • Data which is on the internal Intranet (SharePoint), but has not been approved for external communication
  • Software application lists or project reports
  • Sensitive building/facility and system plans or equipment locations
  • Shared network folders and documents

 Restricted Data

Restricted data is information that is sensitive in nature, and may be proprietary, personally identifiable, or otherwise be sensitive. Unauthorized compromise or disclosure of the information would be likely to cause serious financial, legal, or reputation damage to NVC, or result in embarrassment or difficulty for NVC, its employees, or students.  Restricted data may be protected by statutes, regulations, or contractual requirements.  Disclosure is limited to those within NVC on a “need-to-know” basis only.  Disclosure to parties outside of NVC must be authorized by appropriate management and covered by a binding confidentiality or non-disclosure agreement. 

Examples include:

  • Personally identifiable (as defined below) information of our employees, contractors, or students
  • HR, employee or payroll records
  • Student data
  • Audit reports or results
  • System and network configuration details, including diagrams, passwords,  programs or other IT-specific documentation
  • Intellectual property
  • Health records
  • Legal documents

To help with classification of data, the process flowchart below can be used as a guide to help in determining what kind of data you might be working with.

By law and for purposes of this Administrative Regulation, the term “personally identifiable information” means an individual’s first name and last name or first initial and last name in combination with any one or more items of personal information, such as social security number or other identity verification number, driver's license number or state-issued identification card number, student and/or employee ID numbers, financial account number, credit or debit card number, date or place of birth, and demographics (incl. gender identity/expression).