Authority

This policy is approved by the Chief Information Officer (CIO).

Summary

All College data is classified into defined access levels. Data may not be accessed without proper authorization.

The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.

1. Classification of Data

All College data is classified into levels of sensitivity to provide a basis for understanding and managing college data.  Accurate classification provides the basis to apply an appropriate level of security to college data.  These classifications of data take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth.  Data can also be classified as a result of the application of “prudent stewardship”, where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals or to the institution.

By default, all institutional data will be designated as "Sensitive".  College employees will have access to the data for use in the conduct of college business.

2. Classification Levels

The classification level assigned to data will guide Data Stewards, Data Managers, business and technical project teams, and any others who may obtain or store data, in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated.  Data is classified as one of the following:

• Public (low level of sensitivity)
  Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate Data Manager must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals.
• Sensitive (moderate level of sensitivity)
  Access to “Sensitive” data must be requested from, and authorized by, the Data Steward who is responsible for the data.  Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Sensitive data include purchasing data, financial transactions that do not include restricted data, information covered by non-disclosure agreements and Library transactions.
• Restricted (highest level of sensitivity)
  Access to “Restricted” data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the College who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to restricted data must be requested from, and authorized by, the Data Steward who is responsible for the data. Restricted data includes information protected by law or regulation whose improper use or disclosure could:
      
  • Adversely affect the ability of the college to accomplish its mission
  • Lead to the possibility of identity theft by release of personally identifiable information of college constituents
  • Put the college into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA, and GLBA
  • Put the college into a state of non-compliance with contractual obligations such as PCI DSS
  
  The specification of data as restricted should include reference to the legal or externally imposed constraint that requires the restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given.
  
  Examples of Restricted data include social security numbers, student registration, grades, financial aid data and bank account numbers.

3. Roles and Responsibilities

Chief Information Security Officer

The Chief Information Security Officer implements policies and procedures to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Family Education Rights and Privacy Act (FERPA), and others governing the treatment of individually identifiable information.

Data Trustees

Data Trustees are senior college officials or their designees who have planning, policy-level and management responsibility for data within their functional areas.  Data Trustees responsibilities include:

• Assigning and overseeing Data Stewards
• Remaining aware of the legal and regulatory requirements for data in their areas
• Ensuring that data policies are established, and kept up to date, in their areas and if appropriate, delegating such responsibility
• Promoting appropriate use and data quality

Data Stewards

Data Stewards are college officials having direct operational-level responsibility for the management of one or more types of data.  Data Stewards are assigned by the Data Trustee and are generally associate deans, associate vice presidents, directors or managers.  Data Steward responsibilities include:

• The application of this and related policies to the systems, data, and other information resources under their care or control
• Overseeing the establishment of data policies in their areas
• Understanding legal and regulatory requirements for data in their areas
• Classifying data using the College's data classification system
• Identifying safeguards for Restricted Data

In cases where multiple Data Stewards collect and maintain the same restricted data elements, the Data Stewards must work together to implement a common set of safeguards.

Data Managers

Data Managers are college officials who are responsible for day-to-day operational data collection and management, overseeing the life cycle of a particular set of institutional data. They have the authority from the Data Steward and/or Data Trustee to grant internal access to data for their functional area. Data Managers are generally managers of data systems or senior data analysts within business departments. Data Manager responsibilities include:

• Implementing the established data policies in their areas
• Developing data definitions and standards for data elements in their functional area
• Regularly striving to improve the way data is defined, produced, and used in their functional area
• Resolving data quality issues pertaining to data in their functional area
• Safeguarding data by ensuring appropriate access,  following established authorization procedures, and maintaining physical and system security appropriate to the classification level of the data in their custody
• Following data handling and protection policies and procedures established by Data Stewards and Information Security
• Communicating and providing education on the required minimum safeguards for protected data to authorized data users
• Supporting access by providing appropriate documentation and training to data consumers
• Setting an example of data-related behavior for their department

Data Consumers

Data Consumers are the individual college community members who have been granted access to college data in order to perform assigned duties or in fulfillment of assigned roles or functions at the college.  This access is granted solely for the conduct of college business.  Data Consumer responsibilities include:

• Following the policies and procedures established by the relevant Data Steward and Information Security
• Complying with federal and state laws, regulations, and policies associated with the college data used
• Applying safeguards prescribed by appropriate Data Steward for Restricted Data

Reporting any unauthorized access or data misuse to Information Security or the appropriate Data Steward for remediation.