Information Technologies

Information Classification Policy

Section:	Information Technologies Policies
Policy Name:	Information Classification Policy
Policy Owner:	Executive Vice President
Responsible University Office:	Information Technologies
Origination Date:	February 26, 2018
Revisions:

1. SCOPE OF POLICY
   1. This policy establishes risk-based University information classifications to facilitate institution-wide understanding of data-related risks and implementation of security standards and controls as required by the University Information Security Policy.
   2. This policy applies to University information in all forms, including physical and digital, and in all locations, including in storage media, in e-communications, in the cloud, and on personal devices. Note: for the purposes of this policy, “University information” does not include an individual’s own personal information stored on a computer or device.
2. DEFINITIONS
   1. “Availability” means ensuring timely and reliable access to and use of University information.
   2. “Confidentiality” means preserving authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information.
   3. “Data set” is a collection of related University information that supports University missions or activities.
   4. “Data steward” is an individual within the University who is the primary institutional authority for a particular data set and who is principally responsible for the management and security of that data set across the institution.
   5. “Data stewardship” is the responsible oversight of a data set, including principal responsibility for the establishment of standards and guidelines for appropriately managing and securing that data across the institution.
   6. “Data trustee” is an executive officer of the University who has the highest level of strategic and policy-setting authority and responsibility for his or her functional area.
   7. “End user” is any individual who accesses and/or utilizes IT resources.
   8. “Functional area” is one or more units that have primary responsibility for managing a core University mission or business function.
   9. “Integrity” means guarding against improper modification or destruction of University information, and includes ensuring non-repudiation and authenticity.
   10. “IT resources” are the full set of University owned or controlled information technology devices and data involved in the processing, storage, accessing, and transmission of information.
   11. “Security controls” are the administrative, operational, and technical requirements and recommended best practices for meeting security standards.
   12. “Security standards” are the requirements for achieving risk management objectives and compliance with laws, regulations, and policies.
   13. “Unit” means a University department, school, institute, program, office, initiative, center, or other operating unit.
   14. “Unit head” is a University official with the highest level of authority over the day-to-day management or oversight of a unit’s operation.
   15. “University information” is defined as any information within the University’s purview, including information that the University may not own but that is governed by laws and regulations to which the University is held accountable. University information encompasses all data that pertains to or supports the administration and missions, including research, of the University.
   16. “University information classifications” are the categories of University information that have different security requirements based on their potential impact due to a loss of confidentiality, integrity, or availability.
3. POLICY STATEMENTS
   1. University information must be classified according to the University information classifications defined in this policy.
   2. University information in all forms and locations must be protected by implementing the administrative, operational, and technical security standards and controls required by its classification.
4. POLICY STANDARDS AND PROCEDURES
   1. This policy establishes three University information classifications based on confidentiality risks:
      1. Level III—High Risk Information
         1. The University is required to implement specific security controls to safeguard the privacy and confidentiality of Level III information as mandated by federal, state, and/or local law; University policy; or agreement.
         2. Unintentional, unlawful, or unauthorized disclosure of Level III information would have a significant adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
         3. Level III information includes, but is not limited to:
            1. Confidential information.
            2. Personally Identifiable Information (PII) – An individual’s first name or initial and last name in combination with any of the following:
               1. Social Security number;
               2. Driver’s license number or state-issued ID card number;
               3. Alien registration or government passport number;
               4. Account number, or credit or debit card number, in combination with any required security code, access code, PIN or password needed to access an account.
            3. Protected Health Information (PHI/ePHI) as defined in the Health Insurance Portability and Accountability Act (HIPAA).
            4. Cardholder Data (CHD) as defined by the Payment Card Industry Data Security Standards (PCI-DSS).
            5. Export controlled data, including research, subject to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).
            6. Sensitive personally identifiable human subject research.
            7. UDelNet account passwords or encryption keys used to protect access to Level III information.
         4. Data stewards and unit heads may require specific University information not classified as Level III information under this policy to be nonetheless managed according to the same security standards and controls as Level III information. For example, data stewards may require that a data set vital to the operational continuity or effectiveness of the University be protected by the additional security standards prescribed for Level III information, even if that data set does not necessarily carry significant confidentiality risks.
      2. Level II—Moderate Risk Information
         1. Level II information includes all University information not categorized as either Level III or Level I.
         2. Level II information refers to official internal records that support the day-to-day operation of University units. This data may sometimes be described as “official use only.”
         3. Level II information includes, but is not limited to:
            1. Student education records, not including directory information, subject to the Family Education Rights Protection Act (FERPA);
            2. Human resources information, such as salary and employee benefits information;
            3. Non-public personal and financial data about applicants and donors;
            4. Information received under grants and contracts subject to confidentiality requirements;
            5. Law enforcement or court records and confidential investigation records;
            6. Citizenship or immigration status;
            7. Unpublished University financial information, strategic plans, and real estate or facility development plans;
            8. Information on facilities security systems;
            9. Nonpublic intellectual property, including unpublished research data, invention disclosures, and patent applications.
      3. Level I—Low Risk Information
         1. Level I information is explicitly or implicitly approved for distribution to all members of the University community and to all individuals and entities external to the University community with no legal, regulatory, contractual, or funding agency restrictions on access or usage.
         2. Unintentional, unlawful, or unauthorized disclosure of Level I information would have limited or no adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
         3. Level I information includes, but is not limited to:
            1. General access data on University websites;
            2. University financial statements and other reports filed with federal or state governments and generally available to the public;
            3. Copyrighted materials that are publicly available;
            4. Directory information under FERPA.
   2. Roles and responsibilities
      1. Data trustees
         1. Require the appropriate classification of University information entrusted to their care.
      2. Data stewards
         1. Classify University information within their stewardship according to the three University information classifications:
            1. Level III—High Risk Information
            2. Level II—Moderate Risk Information
            3. Level I—Low Risk Information
         2. Periodically review and update the classifications of University information within their stewardship.
         3. Report to Information Technologies the classifications of University information within their stewardship.
      3. Information Technologies
         1. In collaboration with data stewards, develop and maintain a University data dictionary that describes the sets of University information available for access and the University information classifications assigned to them.