Data Classification and Handling Standards

Effective: 6/1/16; ​Reviewed: 10/13/21
Contact: Director of Information Technology

Purpose:
The purpose of this Guideline is to establish a framework for classifying institution data based on its level of sensitivity, value, and criticality to the College. This document also provides baseline security controls for the protection of data.

Data Classification Levels
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate to safeguard that data. All institution data should be classified into one of four sensitivity levels that are referred to as Level 1, Level 2, Level 3 and Level 4. All College data should be reviewed on a periodic basis and classified according to its use, sensitivity and importance to the College and in compliance with Federal and/or State laws. The level of security required will depend in part on the effect that unauthorized access or disclosure of those data values would have on College operations, functions, image or reputation, assets, or the privacy of individual members of the College community.

Each level will have a defined risk/sensitivity category indicating the potential harmful impact to the College if the integrity of that resource is compromised:

  • High – An unauthorized disclosure, compromise or destruction would result in severe damage to Jewell, its students, or employees. Violation of statutes, regulations, or other legal obligations, financial loss, damage to Jewell’s reputation, and possible legal action could occur.
  • Medium– An unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Jewell, its students, or employees. Financial loss, damage to Jewell’s reputation, and possible legal action could occur.
  • Low – Knowledge of this information does not expose Jewell to financial loss, or jeopardize the security of Jewell’s information assets.
  • None – Public data

Classification Level 1: Restricted
Restricted information is maintained by the College that is exempt from disclosure under the provisions of the state or federal laws or by any voluntary industry standards or best practices concerning protection of personally identifiable information that Jewell chooses to follow. Restricted information is information whose unauthorized disclosure, compromise or destruction would result in severe damage to Jewell, its students, or employees. Financial loss, damage to Jewell’s reputation, and possible legal action could occur. Level 1 information is intended solely for use by Jewell employees, its auxiliary employees, contractors, and vendors covered by a confidentiality-security agreement with a business need-to-know. Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the College is governed by specific standards and controls designed to protect the information.

Risk/Sensitivity: High

Examples of Level 1 Information Include:

Personally Identifiable Information (PII)

  • Social Security number and name
  • Birth date combined with last four digits of SSN and name
  • Driver’s license number, state identification card number, and other forms of national or international identification (such as passports, visas, military ID, etc.) in combination with name
  • Email addresses/username with password or security question responses
  • PINs (Personal Identification Numbers)
  • Passwords or login credentials that grant access to level 1 and level 2 data
  • Biometric information (e.g.: fingerprint, voice recording, palm print, iris scan, DNA, or other unique physical representation, with the exception of the fingerprints associated with individual fingerprint readers used for securing laptop or desktop computers)
  • Digital signatures (defined to be an encrypted digital code appended to an electronic document to verify that it was created by a known source and has not been altered)
  • Private key (digital certificate)
  • Form I-9

Financial Information

  • Complete credit card numbers belonging to individual persons with cardholder name
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Tax ID with name

Health Information

  • Personal health insurance information
  • Medical records related to an individual
  • FMLA or return to work documents for an individual
  • Workers Compensation Information related to an individual
  • Psychological Assessment and/or Counseling records related to an individual
  • ADA Accommodations/504 plan documentation related to an individual (does not include notification communications to authorized persons)

Rules for Usage of Level 1 Data:
This highly confidential data shall be stored on institutionally supported systems residing on Jewell servers, but not in secondary productivity based software applications (i.e. Word, Excel, Pages, Numbers, etc.). Level 1 data can also reside in approved third party hosted applications, but those applications must be approved by the Director of Information Technology. Hard copy data shall be stored in locked receptacles and rooms. Access to this electronic data shall only be gained through authenticated access on the Jewell network or approved virtual private network (VPN) access. Hard copy data shall only be accessed when business requires such use and all storage receptacles and rooms shall be appropriately designed to all for authorized access only.

To this end, employees shall not store or copy this data to laptop or desktop computers (whether institutionally owned or personally owned, smart phones, USB devices, or other portable media) or personally controlled cloud storage services (i.e. Dropbox, Google Drive, Microsoft SkyDrive, etc.). In addition, this data shall not be transmitted via e-mail, instant message, chat or other social media technologies, with the exception of approved third party vendors with appropriate encryption in place. If data is transmitted on a recurring basis to external vendors, it shall be sent via a secure transmission, such as secure FTP (SFTP). For those instances where restricted information must be shared to remain in compliance with state or federal laws (ex. 403B non-discrimination testing), a Data Policy Exception request should be submitted and reviewed annually with the Director of Information Technology.

Electronic and hard copy data shall be destroyed in accordance with Jewell’s Data Retention and Destruction Policy, and shall be rendered unreadable in paper or electronic form. All departments shall have policies in place and periodically review electronic storage areas and their hard copy storage areas to insure that data is being destroyed in a timely and effective manner.

Classification Level 2: Protected
Protected information must be protected due to proprietary or privacy considerations. Although possibly not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss, damage to Jewell’s reputation, violate an individual’s privacy rights or legal action could occur. Level 2 information is intended for Jewell employees, its auxiliary employees, contractors, and vendors covered by a confidentiality-security agreement with a business need-to-know. Level 2 information concerning a student may be released outside the College only with the explicit approval of the student, except as required by law.

Risk/Sensitivity: Medium

Examples of Level 2 Information Include:

Employee Information (Faculty, Staff)

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)
  • Birthplace (City, State, and if not USA, Country)
  • Background information (credit checks, criminal background checks, visa numbers)
  • Employee salary and benefit information (unless disclosed by the employee)
  • Employee benefit election information
  • Employment documents (most HR documentation)
  • Employment history
  • Mother’s maiden name
  • Payment history
  • Employee evaluations
  • Promotion and tenure files (i.e. notes relating to tenure decisions)
  • Pre-employment background investigations
  • Race and ethnicity
  • Gender

Student Information (includes current and former students)

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)
  • Birthplace (City, State, and if not USA, Country)
  • Mother’s maiden name
  • Official grades recorded on a student’s permanent record
  • Race and Ethnicity
  • Gender
  • Standardized Test Scores
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Financial Aid Awards and/or Work Study Earnings

Student Information (prospective students)

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)
  • Birthplace (City, State, and if not USA, Country)
  • Mother’s maiden name
  • Official grades recorded on a student’s permanent record
  • Race and Ethnicity
  • Gender
  • Standardized Test Scores
  • Educational services received
  • Disciplinary actions
  • Financial Aid Awards

Board of Trustee Records:

  • Meeting minutes
  • Board of Trustee votes
  • Confidential information dispersed at Board meetings and/or shared with Board members

Legal Information

  • Campus attorney-client communications
  • Legal investigations conducted by the College
  • Settlements and claims against the College
  • Contracts with third party vendors
  • Employment severance agreements

Library Information

  • Linking a library user with the specific subject which the library user has requested information or materials.
  • Registration records related to an individual patron information
  • Circulation records related to an individual borrowing particular books and material

Purchasing/Accounts Payable and Financial Information

  • Sealed bids prior to award
  • Identifiable information (purchase order) of the supplier/company
  • Security/Permissions
  • Electronic key access settings and permissions
  • Hard key lock cylinder coding
  • Hard key disbursement log

Board of Trustees Information

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)
  • Place of birth
  • Mother’s maiden name

College Donor Information

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)
  • Place of birth
  • Mother’s maiden name
  • Donation if request is for anonymous gift/donation

Alumni

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)
  • Birthplace (City, State, and if not USA, Country)
  • Mother’s maiden name
  • Official grades recorded on a student’s permanent record
  • Race and Ethnicity
  • Gender

College Research

  • Trade secrets or intellectual property such as research activities

Rules for Usage of Level 2 Data:
Protected data shall be stored on institutionally supported systems residing on Jewell servers, institutionally supported shared drives, institutionally supported application formats such as Microsoft Word, Excel, Pages, Numbers, etc., or approved third party hosted applications. Third Party hosted applications that store Level 2 data must meet Jewell’s third party assurance standard. Protected data can be stored on college-owned laptop, tablet device or desktop computers with encryption or protected password, but shall not be copied to or viewed on non-college computers, smartphones, USB devices, or other portable media or personally owned cloud storage services (i.e. Dropbox, Google Drive, Microsoft SkyDrive, etc.). In unique cases where a personal device needs to be used, a Level 2 Data Personal Device Usage Exemption request must be made to the Director of Information Technology in advance. In addition, this data shall not be transmitted via e-mail externally, instant message, chat or other social media technologies, with the exception of approved third party vendors with appropriate encryption in place. Hard copy data shall be stored in locked receptacles or rooms; offices physically storing this type of data will be asked to document which approach is being used and who has access. Hard copy data shall only be maintained in as few receptacles and rooms as business dictates. Copies of this data shall not generally be made unless business requires it.

Data shall not be transferred via email internally unless encrypted or password protected. If data is transmitted on a recurring basis to external approved third-party vendors, it shall be sent via a secure transmission, such as secure FTP (SFTP).

Electronic data shall be destroyed in accordance with Jewell’s Data Retention and Destruction Policy, and shall be rendered unreadable in paper or electronic form. All departments shall have policies in place and periodically review electronic storage areas and their hard copy storage areas to insure that data is being destroyed in a timely and effective manner.

Classification Level 3:  Internal Use Only
Internal Use Only is information that requires protection from unauthorized use, disclosure, modification, or destruction, but is not subject to any of the items listed in the Level 1 or 2 definitions above.

Risk/Sensitivity: Low
Examples of Level 3 Information Include:

Employee Information

  • Employee identification (EmplID)
  • Home or mailing address
  • Personal telephone numbers
  • Personal email address
  • Parents and other family members’ names
  • Emergency contact names and telephone numbers
  • Marital status
  • Personal characteristics (e.g., hobbies)
  • Physical description
  • Electronic or digitized signature

Student Information (includes current and former students)

  • Courses taken
  • Course Schedule
  • All student directory information listed in Level 4 for a student who requests confidentiality, commonly know as setting a FERPA flag.

Student Information (prospective students)

  • Courses taken
  • Course Schedule

Academic Information

  • Faculty grade worksheets (i.e. Files used to track student grading prior to submitting to the Registrar’s Office)

Facilities Information

  • Construction drawings of existing campus buildings
  • Electronic blueprints/ site maps
  • Building maps
  • Donor/ Grant funded project information
  • Bids/Proposals/Estimates from external vendors or suppliers
  • Internal project bids/proposals/estimates
  • Photos used for project bids/proposals/estimates
  • Hazardous Material/ Chemical inventories
  • Job, project, or work planning calendars
  • Maps of Campus utility systems
  • Other detailed drawings of sensitive campus facilities

Legal Information

  • Accident reports and investigations
  • Individual Safety/ Security/ Incident Reports

Purchasing/Accounts Payable and Financial Information

  • Financial operating information
  • Purchase order information
  • Department level budget information

College Donor Information

  • Home or mailing address
  • Personal telephone numbers
  • Personal email address
  • Donation if request is for anonymous gift/donation

College Research

  • Trade secrets or intellectual property such as research activities
  • Information covered by a specific non-disclosure agreement

Technical Security Information

Other Information

  • Location of critical or protected assets
  • Licensed software

Rules for Usage of Level 3 Data:

Internal Use data can be stored in institutionally supported systems and applications located on Jewell’s servers, institutionally supported shared drives, third party hosted applications and laptop or desktop computers (both Jewell issued and personally owned). This data can be copied to smartphones, USB devices or other portable media. Hard copy data shall be maintained in as few receptacles and rooms as business dictates. Copies of this data shall not generally be made unless business requires it.

To this end, employees are permitted to transmit this data via unencrypted email. Electronic data can be destroyed using traditional application delete functionality. Hard copy information can be destroyed in accordance with an employee’s personal or departmental policy.

Classification Level 4: Unrestricted
Unrestricted is explicitly defined as public information, intended to be readily available to individuals both on- and off- campus (e.g., an employee’s work email addresses), or not specifically classified elsewhere in the protected information classification standard.  Knowledge of this information does not expose Jewell to financial loss, or jeopardize the security of Jewell’s assets.  Publicly Available information may be subject to appropriate campus review, facilities’ procedures, employee’s procedures, or student’s procedures to mitigate potential risks of inappropriate disclosure.

Risk/Sensitivity: None

Examples of Level 4 Information Include:

Student Information (Directory Information)

  • Name
  • Student Identification (JewellID)
  • Major Field(s) of Study
  • Participation in officially recognized sports/activities
  • Weight and Height of athletic team members
  • Dates of Attendance
  • Full or Part-time status
  • Enrollment classification
  • Degrees, honors and awards received
  • Campus E-mail address
  • Personal E-mail address
  • Most recent or previous college/university/agency attended
  • Local and permanent addresses
  • Telephone listings (home and cell)
  • Likeness used in college publications including photographs

Note: If the student has requested confidentiality this information is no longer public for that student (this is commonly known as setting their FERPA flag) and will be considered Level 3: Internal Use Only information.

Employee Information

  • Employee title
  • Employee work email address
  • Employee work location and telephone number
  • Employing department
  • Employee classification
  • Name (first, middle, last) (except when associated with protected information)
  • Likeness used in college publications including photographs

Board of Trustees Information

  • Name (first, middle, last)

College Donor Information

  • Name (first, middle, last)
  • Graduation year
  • Address (city and state only)

Facilities Information

  • Campus maps

Financial Information

  • Audited Financial Statements

Legal Information

  • Safety Incident Log