The purpose of this policy is to define the data classification requirements for information assets and to ensure that data is secured and handled according to its sensitivity and the negative impact that theft, corruption, loss or exposure would have on the institution.
This policy has been developed to assist, provide direction to and govern all entities of Hamilton College regarding identification, classification and handling of information assets.
The scope of this policy includes all information assets governed by Hamilton College. All personnel and third parties who have access to or utilize Hamilton College information assets, including data at rest, in transit or in process shall be subject to these requirements.
Last updated: September 6, 2022
All institutional data shall be protected in a manner that is reasonable and appropriate, as defined in documentation approved by the Enterprise Information Committee, given the level of sensitivity, value and criticality that the institutional data has to the College. Hamilton College has established the following requirements regarding the classification of data to protect information:
Data Roles and Accountability
The following roles are defined at Hamilton College.
Data stewards are identified as the individuals, roles or committees primarily responsible for information assets, in digital or physical form, accountable towards the risk and determining appropriate access to data.
Data stewards are responsible for identification of the organization’s information assets and maintaining an accurate and complete inventory for data classification and handling purposes, working with the Information Security Officer to ensure an accurate annual review of the College’s data inventory, and working to ensure the College’s Data Retention Schedule is annually reviewed and followed.
Data stewards are accountable for ensuring that information assets receive an initial classification upon creation and a re-classification whenever reasonable. Re-classification of an information asset should be performed whenever the asset is significantly modified.
Data stewards are responsible for reporting deficiencies in security controls to the Information Security Officer for rectification.
The Data Governance Subcommittee fulfils the role of data steward at Hamilton College. The Data Governance Subcommittee is overseen by the Enterprise Information Committee.
Data Custodians are responsible for the technical control of data, including security, scalability, configuration management, availability, accuracy, consistency, audit trail, backup and restore, technical standards, policies, and rule implementation.
Data Custodians define the meaning and correct usage of data, specify data controls, content and metadata management related to a set of data assets. Data stewards work with stakeholders to develop definitions, standards and data controls.
System and Network administrators that have access to technical controls are considered data custodians and have an obligation to work with data owners towards access or transfer of College-owned data.
Classification of data will be based on the specific, finite criteria as identified in the Federal Information Processing Standard Publication 199 (FIPS-199) for confidentiality, integrity and availability. Data classifications will be defined as follows:
- RESTRICTED – Information assets whose loss, corruption, or unauthorized disclosure would have a CATASTROPHIC or SEVERE IMPACT to the College’s reputation, cause financial loss or would result in regulatory or government sanctions such as violations of federal or state laws or security breaches that result in the compromise of customer or associate private information. Information of this type requires significantly more security controls for accessing, storing or processing. Common examples include but are not limited to, banking and health information (as protected by HIPAA), SSN’s, and information systems’ authentication data
- HIGH - Information assets whose loss, corruption, or unauthorized disclosure would have SERIOUS IMPACT (as defined in Appendix A of the Hamilton College Data Classification Procedure) to the Campus' reputation, cause financial loss or would result in regulatory or government sanctions such as violations of federal or state laws or security breaches that result in the compromise of customer or associate private information. Common examples include but are not limited to, health and education records (as protected by FERPA), faculty and staff personnel records, and sensitive network or information system documentation.
- MODERATE - Information assets whose loss, corruption, or unauthorized disclosure would have LIMITED IMPACT to business functions but is otherwise private. Examples include contracts and legal information and institutional research data.
- LOW- Information assets whose loss, corruption, or unauthorized disclosure would have MINIMAL or NO IMPACT to business functions. Examples include sales and marketing strategies, web site content, building plans and promotional information, student directory information as prescribed by FERPA.
- Unclassified - Information assets that have not yet been classified. All information assets default to this state prior to classification.
- PROHIBITED - Information assets whose creation, storage, processing or transmission are not permitted.
The classification of data elements will be based on the Data Classification and Handling Procedure.
Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods must be described in an official Data Classification and Handling Procedure.
Any information system that stores, processes or transmits institutional data shall be secured in a manner that is considered reasonable and appropriate to the data classification. Individuals who are authorized to access institutional data shall adhere to the guidelines set forth in the documentation approved by the Enterprise Information Committee.
The Quick Reference has been developed to assist faculty, staff and students in identifying appropriate ways to use and store institutional information.
A re-evaluation of classified data assets will be performed at least once per year. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.
Assets, logical or physical, that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.
Any third party providers or vendors that will collect, store, or process data on behalf of the College must be vetted to ensure their ability to protect the confidentiality, integrity and availability of College data. This vetting is done through the vendor assessment process, managed by the Information Security Officer in coordination with the Auxiliary Services Office.
The Data Governance Subcommittee advises the Enterprise Information Council on requests to access or transfer of College data. Ultimate authority for data requests rests with the Vice President of the division that stewards the data, under advice from the Enterprise Information Council, Data Governance Subcommittee, and Information Security Officer.
Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action, both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of institution or other computing resources or to protect the institution from liability.
Exceptions to this policy must be approved in advance by the Information Security Officer, Data Steward responsible for oversight of the requested data, and the Chair of the Enterprise Information Committee. Approved exceptions must be reviewed and re-approved not less than annually.
Last Reviewed: February 4, 2021