Data Classification Policy

Executive Summary

The mission of Hobart and William Smith Colleges, to prepare students to lead lives of consequence, is innately dependent upon the institution’s ability to shield its community of students, educators, and staff from threats that could undermine collaboration and education.

To fulfill this mission, Hobart and William Smith Colleges must achieve institutional prestige and distinction in the pursuit of information security, developing an approach that is community-minded, flexible and inclusive, and imbued with rigor appropriate for the institution’s obligations. A successful information security program will protect the institutional reputation and safeguard its academic environment. Achieving success is a shared responsibility, with obligations expressed at institutional and individual levels.

All Hobart & William Smith community members are responsible for protecting institutional data. This Data Classification Policy establishes a framework for classifying data based on its level of sensitivity, value, and criticality to the Colleges as required by its Information Security Policy. Data classification guides Hobart & William Smith Colleges members to apply the appropriate safeguards for different types of information. This policy outlines the measures and responsibilities required for securing data resources.

1.0 PURPOSE

Data protection is a responsibility shared by all Hobart and William Smith Colleges community members. This document outlines classification categories for data and the responsibilities of Hobart and William Smith Colleges with respect to each classification.

The purpose of this policy is to define the data classification requirements for information assets and to ensure that data is secured and handled according to its sensitivity and the impact that theft, corruption, loss, or exposure would have on the institution and its constituents. This policy was developed to assist Hobart and William Smith Colleges and provide direction to the institution regarding identifying, classifying, and handling information assets.

2.0 SCOPE

The scope of this policy includes all information assets governed by Hobart and William Smith Colleges. All faculty, staff, and third parties who have access to or utilize information assets to process, store and/or transmit information for or on behalf of Hobart and William Smith Colleges shall be subject to these requirements.

3.0 POLICY

Hobart and William Smith Colleges established the requirements enumerated below regarding the classification of data to protect the information of the institution and its constituents.

3.1 GOVERNANCE ROLES AND RESPONSIBILITIES

As established in the Data Governance policy, multiple roles have responsibilities relevant to data classification.

In particular, Data Stewards hold primary responsibility for:

  • Identifying the institution’s information assets under their areas of supervision; and
  • Maintaining an accurate and complete inventory for data classification and handling purposes.

Data Stewards are accountable for ensuring that their information assets receive an initial classification upon creation and a reclassification whenever reasonable. Technical Data Stewards support reclassification efforts as requested by a Data Steward.

3.2 DATA CLASSIFICATION

Data classifications are used to identify data into broad categories grouped by the relative strength of security controls.

Hobart and William Smith Colleges establish the following data classifications:

  • Restricted - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial, or reputational harm to the institution, employees, or the constituents we serve. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, social security numbers, banking and health information, payment card information, and information systems’ authentication data. Data mishandling would result in Federal or state breach notification, identity or financial fraud, extreme revenue loss, or the unavailability of critical systems.
  • Sensitive – Information whose loss, corruption, or unauthorized disclosure would cause limited personal, financial, or reputational harm to the institution, employees, or the constituents we serve. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data and some data elements found in unpublished research data. Data mishandling would not require Federal or state breach notification and would result in limited identity theft, insignificant revenue loss, or would not affect the availability of critical systems.
  • Public – Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial, or reputational harm to the institution, employees, or the constituents we serve. Common examples include but are not limited to sales and marketing strategies, promotional information, published research data, and policies.

The associated Data Steward will perform the classification of data based on the specific, finite criteria in consultation with the Data Governance Team.

As required by the Data Governance Policy, data inventory records should include one or more appropriate classification tags assigned by relevant Data Stewards and Technical Data Stewards. Minimum security controls and safeguards will be defined for each data classification.

Data Consumers interact with information assets according to their prescribed classification, including access controls, labeling, retention policies, and destruction methods. The specific methods must be described in the Data Classification and Handling Procedure.

Information systems managed by Hobart and William Smith Colleges that store, process, or transmit institutional data shall be protected using security controls that are reasonable and appropriate. Security controls will be implemented by Technical Data Stewards in consultation with Data Stewards.

Individuals authorized to access institutional data shall adhere to the Data Consumer guidelines set forth in the documentation approved by the Data Governance Team and any system/data-specific requirements imposed by the relevant Data Steward. No unauthorized use, handling, transmission, or other forms of dissemination of institutional data is permitted.

3.4 RECLASSIFICATION

The responsible Data Stewards will re-evaluate classified data assets at least once per year. Reclassification of data assets should be considered whenever the data asset is modified, retired, or destroyed.

Regular review of classifications is required on a periodic basis and may result in a reclassification.

3.5 CLASSIFICATION INHERITANCE

Logical or physical assets that "contain" a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

4.0 ENFORCEMENT

Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action both within and outside of the institution. The institution may temporarily suspend or block access to an account before the initiation or completion of such procedures when it appears reasonably necessary to protect the integrity, security, or functionality of the institution or other computing resources or to protect the institution from liability.

5.0 EXCEPTIONS

Exceptions to this policy must be approved in advance by the Chief Information Officer at the request of the responsible Data Steward. Approved exceptions must be reviewed and re-approved by the Data Steward annually.

6.0 REFERENCES

  • Family Educational Rights and Privacy Act (FERPA)
  • NIST SP 800-171 – Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

7.0 RELATED POLICIES

  • Data Governance Policy
  • Information Security Policy
  • Responsible & Acceptable Use Policy

8.0 RESPONSIBLE DEPARTMENT

Information Technology Services

9.0 POLICY AUTHORITY

This policy is issued by the Chief Information Officer for Hobart and William Smith Colleges.