Asset Classification Protocol

Owned by
Former user (Deleted)
Last updated: Apr 15, 2024 by
Trubitt, Lisa V
4 min read

Introduction

Pursuant to the University at Albany Information Security Policy, and SUNY Procedure 6608: Information Security Guidelines, Part 1, this protocol is established as part of the Asset Classification Security Domain.

Security Domain

The Asset Classification Security Domain is designed to identify critical information and physical assets and develop a comprehensive approach to their protection and management.

Background

SUNY Procedure 6608: Information Security Guidelines, Part 1 Campus Programs & Preserving Confidentiality, dated February 1, 2008, requires all units to issue a declaration of campus policy and standards, including a Declaration of Sensitive Categories.

Objectives

This protocol establishes that there are sensitive categories of information used by the University and its affiliates in the course of normal business operations. These include teaching, learning, research, and administrative functions.  These categories require adequate controls to assure the confidentiality, integrity, and availability of this information. In cases where the information is subject to state or federal regulations, specific levels of controls may be required.

This protocol incorporates and appends the provisions, definitions, and requirements of University Declaration of Sensitive Information, Appendix C, to the Information Security Guidelines, Part 1, document  #6608.

Scope

This is a University-wide protocol that applies to all University personnel and the employees of those entities and affiliates that rely on the University’s IT infrastructure, data, or applications for their operations

Roles and Responsibilities

The campus Information Security Officer (ISO) has primary responsibility for defining the standards and procedures of the University’s Data Classification Standard.  The standards and procedures documents will be consistent with the attached Appendix C, University Declaration of Sensitive Information.

All University personnel and employees of University affiliates are required to comply with the University’s Asset Classification supporting standards and procedures.

Review

This protocol and all related published documents will be reviewed no less than once every three years.

Related Documents

SUNY Procedure #6608: Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Appendix C, Declaration of Sensitive Categories

NYS Information Security Breach & Notification Law

NYS Governmental Accountability, Audit & Internal Control Act

NYS Cyber Security Policy P03-002: Information Security Policy

SUNY Policies of the Board of Trustees



Adopted: 2009
Revised: February 2012
Reviewed: may 2015

University Declaration of Sensitive Information

Appendix C, to Information Security Guidelines, Part 1, Campus Programs & Preserving Confidentiality, Document #6608.

Responsible Office: SUNY System  Administrative Services and Technology
February 1, 2008

The University declares the following categories of information to be “Sensitive Information” as defined in Procedure #6608, Information Security Guidelines, Part 1, Campus Programs & Preserving Confidentiality. These categories, therefore, are to be included in campus declarations of “Sensitive Information” and handled in campus Programs as described in the Procedure.

This listing also contains categories of information that the University recommends for campus consideration, these being clearly identified by heading.

I.  Confidentiality

The following categories require controls for protecting appropriate use and disclosure:

I. A.  Defined in Law

      Applying to All Campuses

  1. personal information as defined by the NYS Freedom of Information Act (FOIL).

  2. personal identifying information as defined by the NYS Information Security Breach and Notification Act, and the NYS Disposal of Personal Records Law.

  3. personal information defined in the NYS Personal Privacy Protection Law and in the related University policy.

  4. personally identifiable information on students in education records as defined in the Family Educational Rights and Privacy Act (FERPA).

  5. personal information defined in the NYS Electronic Signatures and Records Act (ESRA).

     Applying to Most Campuses

     6.  personally identifiable financial information on customers in financial lending records as defined in the Gramm-Leach-Bliley Act (GLBA) with its associated Federal Trade Commission Safeguards Rule.

     Applying to a Few Campuses

      7.  electronic protected health information, defined in the Security Standard related to the Health Insurance Portability and Accountability Act (HIPAA).

I. B.  Defined in Industry Controls

     Applying to Many Campuses 

      8.  payment card transaction information as defined by the Payment Card Industry Data Security Standard (PCI-DSS).

I. C.  Defined in University Procedure

     Applying to All Campuses

      9.  Personal, Private, and Sensitive Information (“PPSI”) as defined in New York State’s Information Security Policy (NYS IS Policy).
     10. structural, operational, or technical information (about electric, natural gas, steam, water supplies, nuclear or  telecommunications systems or infrastructure) as defined within “PPSI” in NYS IS Policy.
     11. Program Documents as defined in Document #6608.

I. D. Recommended by the University for Campus Consideration

       Applying to All Campuses

       12.  personally identifiable health information of the type defined by HIPAA yet not technically covered under that law and not restricted to subject (employees, students, alumni, visitors) and not
              restricted to electronic media.

       13.  personally identifiable financial information of the type defined by GLBA yet not technically covered under  that law and of the type  defined by PCI-DSS yet not technically covered under that control.

       14.  emergency and business continuity plans and operational documents

II. Integrity

The following categories require controls for protecting intended content:

II. A. Defined in University Procedure

     Applying to All Campuses

      15.  student records and transcript data regarding official attendance in University programs (“courses”) and associated assessments of performance and completion of requirements for courses (“grades”)
           and graduation, and degrees generated by the University.

      16.  financial records regarding official University transactions.

II. B. Recommended by the University for Campus Consideration

    Applying to All Campuses

       17.  public University web pages with significant impact on the public’s understanding and impression of the University’s character, roles, services, faculty, staff, students, and alumni, history, location,
         buildings, offerings and any other information placed on a University web page that has been reviewed and approved by University management.

III.  Availability

The following categories require controls for protecting intended operational access:

III.A. Recommended by the University for Campus Consideration

      Applying to All Campuses

      18.  transactional data and supporting data necessary to conduct mission-critical transactions in teaching, research, service and administration.

      19.  emergency and business continuity plans and operational documents.