The purpose of this policy is to define the data classification requirements for information assets and to ensure that data is secured and handled according to its sensitivity and the negative impact that theft, corruption, loss or exposure would have on the institution.
This policy has been developed to assist, provide direction to and govern all entities of Hamilton College regarding identification, classification and handling of information assets.
The scope of this policy includes all information assets governed by Hamilton College. All personnel and third parties who have access to or utilize Hamilton College information assets, including data at rest, in transit or in process shall be subject to these requirements.
policy revision history
Last revised, September 2016
Hamilton College has established the following requirements regarding the classification of data to protect information:
Data Ownership and Accountability
Data owners are identified as the individuals, roles or committees primarily responsible for information assets, in digital or physical form.
Data owners are responsible for identification of the organization’s information assets and maintaining an accurate and complete inventory for data classification and handling purposes.
Data owners are accountable for ensuring that information assets receive an initial classification upon creation and a re-classification whenever reasonable. Re-classification of an information asset should be performed whenever the asset is significantly modified.
Data owners are responsible for reporting deficiencies in security controls to management.
Classification of data will be based on the specific, finite criteria as identified in the Federal Information Processing Standard Publication 199 (FIPS-199) for confidentiality, integrity and availability. Data classifications will be defined as follows:
- HIGH - Information assets whose loss, corruption, or unauthorized disclosure would have SEVERE IMPACT to the Campus' reputation, cause financial loss or would result in regulatory or government sanctions such as violations of federal or state laws or security breaches that result in the compromise of customer or associate private information. Common examples include but are not limited to, banking and health information, credit card holder data, SSN’s, faculty and staff personnel records, and information systems’ authentication data.
- MODERATE - Information assets whose loss, corruption, or unauthorized disclosure would have LIMITED IMPACT to business functions but is otherwise private. Examples include contracts and legal information and institutional research data.
- LOW- Information assets whose loss, corruption, or unauthorized disclosure would have MINIMAL or NO IMPACT to business functions. Examples include sales and marketing strategies, web site content, building plans and promotional information, student directory information as prescribed by FERPA.
- Unclassified - Information assets that have not yet been classified. All information assets default to this state prior to classification.
- PROHIBITED - Information assets whose creation, storage, processing or transmission are not permitted.
The classification of data elements will be based on the Data Classification and Handling Procedure.
Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The Quick Reference has been developed to assist faculty, staff and students in identifying appropriate ways to use and store institutional information.
A re-evaluation of classified data assets will be performed at least once per year. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.
Assets, logical or physical, that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.
Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action, both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of institution or other computing resources or to protect the institution from liability.
Exceptions to this policy must be approved in advance by the Information Security Board of Review (ISBR). Approved exceptions must be reviewed and re-approved not less than annually.
Last updated: March 23, 2018