4CE53030-CF0C-67E7-7D845E0B5CDEC0DD
93B7E9D3-05F7-5874-B68CD332C854FA6A

Data Classification


Purpose

The purpose of this policy is to define the data classification requirements for information assets and to ensure that data is secured and handled according to its sensitivity and the negative impact that theft, corruption, loss or exposure would have on the institution.

This policy has been developed to assist, provide direction to and govern all entities of Hamilton College regarding identification, classification and handling of information assets.

Scope

The scope of this policy includes all information assets governed by Hamilton College. All personnel and third parties who have access to or utilize Hamilton College information assets, including data at rest, in transit or in process shall be subject to these requirements.

policy revision history

Last revised, September 2016

Central Information Services

Requirements

Hamilton College has established the following requirements regarding the classification of data to protect information:

Data Ownership and Accountability

Data owners are identified as the individuals, roles or committees primarily responsible for information assets, in digital or physical form.

Data owners are responsible for identification of the organization’s information assets and maintaining an accurate and complete inventory for data classification and handling purposes.

Data owners are accountable for ensuring that information assets receive an initial classification upon creation and a re-classification whenever reasonable. Re-classification of an information asset should be performed whenever the asset is significantly modified.

Data owners are responsible for reporting deficiencies in security controls to management.

Data Classification

Classification of data will be based on the specific, finite criteria as identified in the Federal Information Processing Standard Publication 199 (FIPS-199) for confidentiality, integrity and availability. Data classifications will be defined as follows:

  • HIGH - Information assets whose loss, corruption, or unauthorized disclosure would have SEVERE IMPACT to the Campus' reputation, cause financial loss or would result in regulatory or government sanctions such as violations of federal or state laws or security breaches that result in the compromise of customer or associate private information. Common examples include but are not limited to, banking and health information, credit card holder data, SSN’s, faculty and staff personnel records, and information systems’ authentication data.
  • MODERATE - Information assets whose loss, corruption, or unauthorized disclosure would have LIMITED IMPACT to business functions but is otherwise private. Examples include contracts and legal information and institutional research data.
  • LOW- Information assets whose loss, corruption, or unauthorized disclosure would have MINIMAL or NO IMPACT to business functions. Examples include sales and marketing strategies, web site content, building plans and promotional information, student directory information as prescribed by FERPA.
  • Unclassified - Information assets that have not yet been classified. All information assets default to this state prior to classification.
  • PROHIBITED - Information assets whose creation, storage, processing or transmission are not permitted.

The classification of data elements will be based on the Data Classification and Handling Procedure.

Data Handling

Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The Quick Reference has been developed to assist faculty, staff and students in identifying appropriate ways to use and store institutional information.

RE-CLASSIFICATION

A re-evaluation of classified data assets will be performed at least once per year. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.

CLASSIFICATION INHERITANCE

Assets, logical or physical, that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

Enforcement

Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action, both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of institution or other computing resources or to protect the institution from liability.

EXCEPTIONS

Exceptions to this policy must be approved in advance by the Information Security Board of Review (ISBR). Approved exceptions must be reviewed and re-approved not less than annually.

Last updated: March 23, 2018

Back to Top