arrow_circle_left Back to All Policies

Data Classification and Handling Policy

JSCC Policy Number: 1:08:04:01

TBR Policy Reference: Not Applicable

TBR Guideline Reference: Not Applicable

Approved By: President's Cabinet

Original Date Effective: 2013-08-05

Last Modified: 2023-07-10

Responsible Office: Office of Information Technology

Purpose

The purpose of this policy is to establish a framework for classifying and handling College data based on its level of sensitivity, value and criticality to the College as required by the College’s Information Security Program. Classification of data will aid in determining baseline security controls for the protection of data.

Scope

This policy applies to all College employees who access, process, or store sensitive College data.

Definitions

Confidential Data - Generalized term that typically represents data classified as confidential, according to the data classification scheme defined in this document. This term is often used interchangeably with sensitive data.

Data Owner -   An administrator of an institution office or division or designee who may make data within their charge available to others for the use and support of the office or division’s functions and is responsible for the accuracy and completeness of data files in their areas and ensures the protection requirements are met before granting access to the data.

Data CustodianInstitutional designees responsible for oversight of personally-identifiable information in their respective areas of institutional operations. Other responsibilities of a Data Custodian include understanding how information assets are stored, processed, and transmitted and implementing appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets

Institutional Data - All data owned or licensed by the College.

Information Assets - Definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the College.

Non-public Information - Any information that is classified as Internal/Private Information according to the data classification scheme defined in this document.

Sensitive Data - Generalized term that typically represents data classified as Confidential according to the data classification scheme defined in this document.

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels (tiers), or classifications:

Tier 1 - Confidential Data

Data should be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the College or its affiliates. Examples of Confidential data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied.

Access to Confidential data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the College who require such access in order to perform their job (“need-to-know”).  Access to Confidential data must be individually requested and then authorized by the Data Owner who is responsible for the data.

Tier 1 Confidential data is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. In addition, the negative impact on the institution should this data be incorrect, improperly disclosed, or not available when needed is typically very high. Examples of Confidential/Restricted data include official student grades and financial aid data, social security and credit card numbers, and individuals’ health information.

Tier 2 - Internal/Private Data

Data should be classified as Internal/Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College or its affiliates. By default, all information assets that are not explicitly classified as Confidential or Public data should be treated as Internal/Private data. A reasonable level of security controls should be applied to internal data.

Access to Internal/Private data must be requested from, and authorized by, the Data Owner who is responsible for the data. Access to Internal/Private data may be authorized to groups of persons by their job classification or responsibilities, and may also be limited by one’s department.

Internal/Private Data is moderately sensitive in nature. Often, Tier 2 Internal/Private data is used for making decisions, and therefore it is important this information remain timely and accurate. The risk for negative impact on the College should this information not be available when needed is typically moderate. Examples of Internal/Private data include official university records such as financial reports, human resources information, some research data, unofficial student records, and budget information.

Tier 3 - Public Data

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the College and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Public data is not considered sensitive; therefore, it may be granted to any requester or published with no restrictions. The integrity of Public data should be protected. The appropriate Data Owner must authorize replication or copying of the data in order to ensure it remains accurate over time. The impact on the institution should Level 3 Public data not be available is typically low, (inconvenient but not debilitating). Examples of Public data include directory information, course information and research publications.

Data Collections

Data Owners may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student’s name, address and social security number, the data collection should be classified as Confidential even though the student’s name and address may be considered Public information.

Determining Classification

The goal of information security, as stated in the College Data Security Plan, is to protect the confidentiality, integrity and availability of information assets and systems. Data classification reflects the level of impact to the College if confidentiality, integrity or availability of the data is compromised.

Security Objective LOW- Public MODERATE - Private HIGH - Confidential
Confidentiality- Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity- Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse affect on organizational operations, organizational assets, or individuals.
Availability- Ensuring timely and reliable access to and use of information. The disruption of access to oruse of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to abuse of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to oruse of information or an information system could be expected to have a severe or catastrophic adverse affect on organizational operations, organizational assets, or individuals.

Predefined Types of Confidential/Restricted Information Assets

Based upon state, federal, and contractual requirements Jackson State Community College is required to protect at the highest level the following data types:

Personally Identifiable Education Records - Covered under FERPA

Record means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video,  audio tape, film, microfilm, or microfiche.

Education records - records that are:

  • Directly related to a student; and
  • Maintained by an educational agency or institution or by a party acting for the agency or institution.

Personally Identifiable Education Records are records that contain one or more of the following:

  • Student Name
  • Student J Number
  • Social Security Number
  • Grades
  • GPA
  • Courses Enrolled
  • Indirect identifiers such as student’s date of birth, place of birth, or mother’s maiden name
  • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
  • Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
Personally Financial Identifiable Information (PIFI) - Covered under GLBA

For the purpose of meeting security breach notification requirements, PIFI is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

  • Social security number
  • State-issued driver’s license number
  • Date of Birth
  • Card or bank account number
  • Transactional data
  • Financial account number in combination with a security code, access code or password that would permit access to the account

Payment Card Information- Covered under PCI DSS

Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

  • Cardholder name
  • Service code
  • Expiration date
  • CVC2, CVV2 or CID value
  • PIN or PIN block
  • Contents of a credit card’s magnetic stripe

Protected Health Information (PHI) - Covered under HIPAA

PHI is defined as any “individually identifiable” information that is stored by a Covered Entity, and related to one or more of the following:

  • Past, present or future physical or mental health condition of an individual.
  • Provision of health care to an individual.
  • Past, present or future payment for the provision of health care to an individual.

PHI is considered “individually identifiable” if it contains one or more of the following identifiers:

  • Name
  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)
  • Telephone/Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate number
  • Device identifiers and serial numbers
  • Universal Resource Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number or characteristic that could identify an individual

If the health information does not contain one of the above referenced identifiers and there is no reasonable basis to believe that the information can be used to identify an individual, it is not considered “individually identifiable” and; as a result, would not be considered PHI

Data Handling Requirements

Covered data and information may be requested by phone or e-mail from a third party other than the owner of the data or information.  If information is requested about a student, the person or request should be transferred to the Records Office. If information is requested about an employee, the person or request should be transferred to the Human Resource Office.

 An employee should never give out a student’s information over the phone or email and never confirm covered data and information a third-party caller provides.

A student’s personal information may be released only if the student has specifically authorized you (the employee) to do so in a written waiver, and only if the release meets one of the stipulations covered by FERPA guidelines.

For each classification, several data handling requirements are defined to appropriately safeguard the information. It is important to understand that overall sensitivity of institutional data encompasses not only its confidentiality but also the need for integrity and availability.

The following table defines safeguards for protecting data and data collections based on their classification. In addition to the following data security standards, any data covered by federal or state laws or regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.

Security Control Category Tier 3 - Public Tier 2 - Internal Tier 1 - Confidential
Access Control No restriction for viewing.

Authorization by Data Owner or designee required for modification; supervisor approval also required if not a self-service function.		 Viewing and modification restricted to authorized individuals as needed for business-related roles.
Data Owner or designee grants permission for access, plus approval from supervisor.
Authentication and authorization required for access.		 Viewing and modification restricted to authorized individuals as needed for business-related roles.
Data Owner or designee grants permission for access, plus approval from supervisor.
Authentication and authorization required for access.
Confidentiality agreement required.
Physical Security System must be locked or logged out when unattended.
Host-based software firewall recommended.		 System must be locked or logged out when unattended.
Hosted in a secure location required; a Secure Data Center is recommended.		 System must be locked or logged out when unattended.
Hosted in a secure location required.
Physical access must be monitored. logged, and limited to authorized individuals 24x7.
Transmission No restrictions. Encryption required (e.g., via SSL or Secure File Transfer Protocols (SFTP)
Transmitting via email not recommended. Any email transmission must be encrypted.		 Encryption required (e.g., via SSL or Secure File Transfer Protocol (SFTP))
Transmitting via email not recommended. Any email transmission must be encrypted.
Backup/Disaster Recovery Backups required; daily backups recommended. Daily backups required.
Off-site backup storage recommended.		 Daily backups required.
Off-site, backup storage in a secure location required.
Data Storage

Storage on a secure server recommended.

Storage in a secure Data Center recommended

Storage on a secure server recommended.
Storage in a secure Data Center recommended.
Should not store on an individual's workstation or a mobile device. (e.g., a laptop computer, flash drive, external hard drive); if stored on a workstation data must be on a shared drive or if on a mobile device, must use whole-disk encryption.

 Storage on a secure server required.
Storage in a secure Data Center required.
Should not store on an individual's workstation or a portable device(e.g., a laptop computer, flash drive, external hard drive); if stored on a workstation data must be on a shared drive or if on a mobile device, must use whole disk encryption.
Paper/hard copy; do not leave unattended where others may see it; store in a secure location.
Copying/Printing (applies to both paper and electronic forms) No restrictions Data should only be printed when there is a legitimate need.
Copies must be limited to individuals with a need to know.
Data should not be left unattended on printer/fax.
May be sent via Campus Mail.		 Data should only be printed when there is a legitimate need.
Copies must be limited to individuals authorized to access the data and have signed a confidentiality agreement.
Data should not be left unattended on printer/fax.
Must be sent via Confidential envelope; data must be marked "Confidential".
Disposal Paper can be thrown in trash. Shredding is recommended.
Hardware must be wiped so data cannot be removed.		 Paper must be shredded.
Storage devices must be degaussed and physically impaired so cannot be used.		 Paper must be shredded.
Storage devices must be degaussed and physically impaired so cannot be used

>