IS-1014 Data Classification and Handling (Policy)

Communications

Release Date: 10/21/09

Administrative Directive

Summary               

This administrative directive identifies CNM's critical data/information, gives assistance to properly classify data, and provides requirements for the proper handling of College data.  It includes all data produced, collected or used by CNM employees or consultants during the course of College business.

Applicability

This administrative directive is applicable to all individuals who handle CNM data/information.  Every user of any of CNM's information resources and systems has responsibility toward the protection of the College's data/information; certain offices and individuals have very specific responsibilities. 

1.      Purpose

The purpose of this administrative directive is to (a) identify the different types of CNM information/data, giving examples of each data classification type, (b) provide assistance  with the selection of the appropriate data classification, and (c) facilitate the appropriate handling of College data.

2.      Background

CNM takes seriously its commitment to respect and protect the privacy of its students, alumni, and employees, as well as to protect the confidentiality of information important to the College.   For that reason, CNM has identified three categories of data: Restricted, Sensitive, and Public.  The categories are described in the table within Section 4 below.

3.      Handling of Data

Always consider who will have access to data when storing or sending/transmitting data via email, particularly when the data will leave CNM's network.  Also, before storing data on portable media devices (i.e., flash drives…) consider the protection/control of the data, particularly if it is classified restricted or sensitive.  If you are ever in doubt, ask your manager/supervisor or the Office of Planning, Budget and Institutional Research, serving as CNM's Data Steward. 

Note that the Office of Planning, Budget and Institutional Research is responsible for approving the release of any data/information outside the College.  However, all information that is requested under the "Inspection of Business Records Act" will be submitted and approved by the VP for Administrative Services, serving in the role of Records Custodian for CNM

4.      Classification of Data

The following is not intended to be an all-inclusive list.  If in doubt, ask your manager/supervisor or CNM's "Data Steward", the Office of Planning, Budget and Institutional Research at 224-3450.

Restricted

Sensitive

Public

Regulation/Legal Requirements 

Protection of data is required by regulation (e.g., FERPA, Privacy Law, FTC Red Flag Rules, PCI- DSS)

Protection of data is dictated by CNM

Protection of data is at the discretion of the owner or custodian

Potential Loss Impact

High

Medium

Low

Threats

Severe, not recoverable,

affects the entire College

Threat to:

  • Accreditation
  • CNM's reputation
  • Financial loss
  • Validity of CNM degrees
  • Ability to function
  • Enrollment
  • Ability to fulfill mission

Inconvenient, but recoverable, affects some functions of the College

Brief inconvenience, can recover quickly, might not be noticeable, affects a few people

Description

Information which provides access to resources, physical or virtual

Smaller subsets of protected data from a school or department

General College information

Authorized Access 

Only those individuals designated with approved access, signed non-disclosure agreements, and required training

CNM employees and non-employees who have a business need to know

CNM affiliates and general public with a need to know

Examples

  • Social Security Numbers
  • Credit Card #'s
  • Financial Account #'s (e.g., checking…)
  • FERPA  regulated data
  • IT  Data (Configurations)
  • Employee Data
    • Donor Data

 

 

 

  • Information Resources with access to restricted data
  • Library transactions (e.g., catalog, circulation, acquisitions)
  • Financial transactions which do not include restricted data (e.g., telephone billing)
  • Donor contact information and non-public gift amounts
  • Privileged attorney-client communications
  • Non-public CNM policies & policy manuals
  • CNM internal memos and Email, & non-public reports, budgets, plans, and financial information
  • Non-public contracts
  • College & employee ID numbers
  • Evaluation Materials
  • Course Content
  • Grading Procedures
  • Syllabi
  • Homework Assignments
  • Campus Maps
  • Business contact data (e.g., directory information)
  • Email addresses
  • Purchasing: RFP's, RFQ's


5.  Applicable Regulations (not designed to be an all-inclusive list



Forms:

Not Applicable

Support Materials:

Not Applicable

Reference Materials:

Not Applicable