Data Classification Standard
Date Established: July, 2011
Date Last Revised: July, 2018
Category: IT Policy
Responsible Office: ITS
Summary
In support of the University’s Asset Classification Protocol, a campus protocol published under the Asset Classification Security Domain, all University data must be classified into one of the three categories described in this standard and protected using appropriate security measures consistent with the minimum standards for the classification level as described in related information security standards, procedures, and guidelines.
The Standard
This standard serves as a supplement to the Asset Classification Protocol. Adherence to the standard will facilitate applying the appropriate security controls to University data.
The objective of this standard is to assist Data Trustees, Stewards, and Custodians in properly classifying data to determine what controls are needed to protect its confidentiality, integrity, and availability. The standard divides data into three categories:
Data Classification | Risk from Disclosure | Description | Examples |
---|---|---|---|
Category 1: Protected Data: Personally Identifiable or Regulated | High-Medium | Personally Identifiable data includes information whose loss or unauthorized access could adversely affect UAlbany; an authorized, contracted partner; specific individuals, or the public. Security breaches of this information are subject to the NY State Information Security and Breach Notification Act and other federal, state, and industry rules and regulations. Regulated data includes information subject to FERPA or other federal, state, or business regulations (e.g., GDPR, HIPAA, Red Flag Rules) that require specific levels of protection to prevent its unauthorized modification or exposure. | Statutory Data
Declared Data
|
Category 2: Internal Use Data | Medium-Low | Category 2 includes non-public, internal use information that is not subject to state or federally mandated protections. This includes data exempt from disclosure in NY State’s Freedom of Information Law (FOIL), as well as information that would normally require a FOIL request for public release. |
|
Category 3: Public Data | None | All public data |
|
DATA CLASSIFICATION and SECURITY CONTROLS REQUIREMENTS
All University data stored on University systems, or non-University owned resources where University business is transacted, must be classified into one of the three categories. In general, data will self-classify based on its source or nature. Data Trustees, Stewards, Custodians, and users are required to implement and observe appropriate administrative, technical, and physical controls to protect the data [see the Category 1 Security Controls document]. Category 1 data has more stringent requirements than Categories 2 and 3. At minimum, all data requires some protective measures to guard against tampering.
When information from multiple classifications is co-located on the same system without effective means of isolation, or within the same repository, database, archive, or record, the Minimum Security Controls of the category representing the highest institutional risk must be applied. As an example, if names and social security numbers were included in meeting minutes, then Category 1 protections would be required for that document.
These requirements exist in addition to all other university policies and federal and state regulations governing the protection of University data. Data classification should be considered an integral part of a comprehensive information security plan.
Note: Consistent with the notion of Incidental Use, personal data belonging to employees stored on a University IT resource is not considered University data.
APPLICABILITY and SCOPE
This protocol applies to all members of the University at Albany community, as well as to external vendors and contractors who receive and maintain collections of University data.
DEFINITIONS
Category 1: Protected Data: Personally Identifiable or Regulated
Regulated private data includes: information defined as private information (i.e., personally identifiable information) in the New York State Information Security Breach and Notification Act: i.e., bank account/credit card/debit card numbers, Social Security Numbers, state-issued drivers’ license numbers, and state-issued non-drivers’ identification numbers. Additionally, the University declares certain information such as administrative authentication credentials Category 1 data.
The Breach Notification Act requires that the University must disclose any breach of the data to NY residents. (State entities must also notify non-residents, see Information Security Policy P03-002 V3.3 Part 12) - http://its.ny.gov/document/information-security-policy .)
Regulated protected data includes data protected by state, federal, and business regulations. This includes FERPA-protected educational records, protected health information (HIPAA), and other regulated information such as that defined in the Payment Card Industry Data Security Standards (PCI-DSS), the Gramm Leach Bliley Act, the FTC’s Red Flag Rules, the EU’s General Data Protection Regulation (GDPR), federal Controlled but Unclassified Information (CUI), etc.
Note that Category 1 data is exempt from disclosure/release under the NY State Freedom of Information Law (FOIL) (http://www.dos.ny.gov/coog/foil2.html). Such data must be appropriately protected to ensure that it is not disclosed in a FOIL request. FOIL excludes data that if disclosed would constitute an unwarranted invasion of personal privacy. Specific details on FOIL-excluded data are provided in the Appendix.
Category 2: Internal Use Data - Includes University non-public data not included in Category 1 (Personally Identifiable or Regulated). Internal Use data includes the Albany ID/Empl ID, licensed software, as well as University business records, intellectual property, certain types of information that would constitute an unwarranted invasion of personal privacy, and any non-public data that would generally require a FOIL request prior to release.
Category 3: Public Data - General access data, such as that available on unauthenticated portions of www.albany.edu; Category 3 data has no special requirements for protecting confidentiality.