The purpose of this policy is to establish a framework for classifying and handling data based on its level of sensitivity. Classification of data will determine the baseline security controls for the protection of data. This policy applies to all Snow College employees who access, process, or store sensitive Snow College data.
Any information that permits to the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to Snow College.
Includes but is not limited to; social security numbers, driver’s license numbers, financial or medical records, biometrics, or criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data is compromised.
An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit Snow College.
Employee of the college who has administrative and/or operational responsibility over information assets.
All data owned or licensed by Snow College.
Definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the college.
Any information that is classified as internal or private according to the data classification scheme.
In the context of Information Security, is the classification of data based on its level of sensitivity and the impact to the organization should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels (tiers), or classifications:
Unauthorized disclosure, alteration or destruction of this type of data could cause a significant level of risk to Snow College or its affiliates. The impact of this type of data is critical and needs to be protected.
Unauthorized disclosure, alteration or destruction of this type of data could result in a moderate level of risk to Snow College or its affiliates. The risk for negative impact
SENSITIVE FILE STORAGE AND EMAIL USAGE POLICY
Purpose:
The purpose of this policy is to ensure that sensitive and confidential information is stored and managed in a secure and controlled manner, in accordance with the organization's security standards and legal and regulatory requirements. This policy establishes the procedures and guidelines for the storage, access, and disposal of sensitive and confidential information, as well as the appropriate use of email for storing and transmitting information.
Scope:
This policy applies to all employees, contractors, and third-party individuals who use computing equipment owned or operated by the organization, including but not limited to laptops, desktops, servers, and mobile devices.
Policy Requirements:
Definition of Sensitive Information: Sensitive information includes, but is not limited to, personal identifiable information (PII), confidential business information, financial information, intellectual property, and other sensitive data that requires protection to maintain the privacy and security of individuals, the organization, and its customers and partners.
Storage Requirements: Sensitive information must be stored on designated secure file servers, cloud-based storage solutions, or other secure storage devices that have been approved by the IT security team. Portable storage devices, such as USB drives or external hard drives, may only be used for temporary storage and must be encrypted and securely disposed of when no longer needed.
Email Usage: Email must not be used as a storage location for sensitive information. Sensitive information should not be sent via email, unless it has been encrypted and is being transmitted to a secure recipient. Email should only be used for transmitting information that does not require protection or that has been properly secured.
Access Controls: Access to sensitive information must be limited to those individuals who have a legitimate business need and who have been granted the appropriate level of access privileges by the IT security team. Access privileges must be reviewed and revoked on a regular basis to ensure that only those who need access have it.
Encryption: Sensitive information must be encrypted in transit and at rest, using approved encryption algorithms and protocols. Encryption keys must be securely managed and stored, and access to encryption keys must be limited to authorized personnel only.
Backup and Recovery: Sensitive information must be backed up regularly, in accordance with the organization's disaster recovery and business continuity plans, to ensure that it can be recovered in the event of a data loss or system failure. Backup tapes or other media must be stored securely and encrypted, if necessary.
Disposal: When sensitive information is no longer needed, it must be securely disposed of in accordance with the organization's information disposal policy. This may include securely wiping or physically destroying hard drives, tapes, or other storage media, as appropriate.
Non-Compliance: Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract.
Enforcement:
The IT security team is responsible for enforcing this policy and ensuring that all employees, contractors, and third-party individuals are aware of and comply with the procedures for storing and managing sensitive information. Regular training and awareness programs will be conducted to educate users on the importance of protecting sensitive information and the procedures for storing and accessing sensitive files, as well as the appropriate use of email.
SENSITIVE FILE STORAGE POLICY
Purpose:
The purpose of this policy is to ensure that sensitive and confidential information is stored and managed in a secure and controlled manner, in accordance with the organization's security standards and legal and regulatory requirements. This policy establishes the procedures and guidelines for the storage, access, and disposal of sensitive and confidential information.
Scope:
This policy applies to all employees, contractors, and third-party individuals who use computing equipment owned or operated by the organization, including but not limited to laptops, desktops, servers, and mobile devices.
Policy Requirements:
Definition of Sensitive Information: Sensitive information includes, but is not limited to, personal identifiable information (PII), confidential business information, financial information, intellectual property, and other sensitive data that requires protection to maintain the privacy and security of individuals, the organization, and its customers and partners.
Storage Requirements: Sensitive information must be stored on designated secure file servers, cloud-based storage solutions, or other secure storage devices that have been approved by the IT security team. Portable storage devices, such as USB drives or external hard drives, may only be used for temporary storage and must be encrypted and securely disposed of when no longer needed.
Access Controls: Access to sensitive information must be limited to those individuals who have a legitimate business need and who have been granted the appropriate level of access privileges by the IT security team. Access privileges must be reviewed and revoked on a regular basis to ensure that only those who need access have it.
Encryption: Sensitive information must be encrypted in transit and at rest, using approved encryption algorithms and protocols. Encryption keys must be securely managed and stored, and access to encryption keys must be limited to authorized personnel only.
Backup and Recovery: Sensitive information must be backed up regularly, in accordance with the organization's disaster recovery and business continuity plans, to ensure that it can be recovered in the event of a data loss or system failure. Backup tapes or other media must be stored securely and encrypted, if necessary.
Disposal: When sensitive information is no longer needed, it must be securely disposed of in accordance with the organization's information disposal policy. This may include securely wiping or physically destroying hard drives, tapes, or other storage media, as appropriate.
Non-Compliance: Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract.
Enforcement:
The IT security team is responsible for enforcing this policy and ensuring that all employees, contractors, and third-party individuals are aware of and comply with the procedures for storing and managing sensitive information. Regular training and awareness programs will be conducted to educate users on the importance of protecting sensitive information and the procedures for storing and accessing sensitive files.
The purpose of this policy is to establish a framework for classifying and handling data based on its level of sensitivity. Classification of data will determine the baseline security controls for the protection of data. This policy applies to all Snow College employees who access, process, or store sensitive Snow College data.
2.1 Personally Identifiable Information (PII) – Any information that permits to the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to Snow College.
2.2 Sensitive PII - Includes but is not limited to; social security numbers, driver’s license numbers, financial or medical records, biometrics, or criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data is compromised.
2.3 Data Owner - An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school,or administrative unit Snow College.
2.4 Data Custodian Employee of the college who has administrative and/or operational responsibility over information assets.
2.5 Institutional Data - All data owned or licensed by Snow College.
2.6 Information Assets - Definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the college.
2.7 Non-Public Information - Any information that is classified as internal or private according to the data classification scheme.
3.1. Data classification, in the context of Information Security, is the classification of data based on its level of sensitivity and the impact to the organization should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels (tiers), or classifications:
3.1.1 Personally Identifiable Information (PII) Unauthorized disclosure, alteration or destruction of this type of data could cause a significant level of risk to Snow College or its affiliates. The impact of this type of data is critical and needs to be protected.
3.1.2 Internal Data - Unauthorized disclosure, alteration or destruction of this type of data could result in a moderate level of risk to Snow College or its affiliates. The risk for negative impact on the college should this information is typically moderate. Examples of internal data include official college records such as financial reports, purchase orders, processes, and some research data.
3.1.3 Public Data - Unauthorized disclosure, alteration or destruction of this type of data would result in little or no risk Snow College and its affiliates.
3.2. Determining Classification
3.2.1. The goal of information security, as stated in the College’s Information Security Policy, is to protect the confidentiality, integrity andavailability of information assets and systems. Data classification reflects the level of impact to the College if confidentiality, integrity or availability of the data is compromised.
3.3. Data Handling Requirements
3.3.1. For each classification, several data handling requirements are defined to appropriately safeguard the information. It's important to understand that overall sensitivity of institutional data encompasses not only its confidentiality but also the need for integrity and availability.
3.3.2. The attachedtable defines required safeguards for protecting data and data collections based on their classification. In addition to the following data security standards, any data covered by federal or state laws or regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.
3.3.3. Predefined Types of PIIInformation Assets. Based upon state, federal, and contractual requirements that Snow College is bound by, the following information assets have been predefined as PIIdata and must be protected.
3.3.3.1. Personally Identifiable Education Records. Covered under FERPA.
Personally Identifiable Education Records are defined as any education records that contain one or more of the following personal identifiers:
• Student Badger ID Number
• Grades, GPA, Credits Enrolled
• Social Security Number
• A list of personal characteristicsor any other information that would make the student's identity easily traceable
3.3.3.2. Personally Identifiable Financial Information(PIFI). Covered under GLBA. For the purpose of meeting security breach notification requirements, PII is defined as a person's first name or first initial and last name in combination with one or more of the following data elements:
• Social security number
• State-issued driver's license number
• Date of Birth
• Financial account number in combination with a security code, access code orpassword that would permit access to the account
3.3.3.3. Payment Card Information. Covered under PCI DSS. Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
• Cardholder name
• Service code
• Expiration date
• CVC2, CVV2 or CID value
• PIN or PIN block
• Contents of a credit card's magnetic stripe
• Contents of Card Chip
3.3.3.4. Protected Health Information (PHI). Covered under HIPAA. PHI is defined as any individually identifiable information that is stored by a covered entity, and related to oneor more of the following:
• Past, present or future physical or mental health condition of an individual.
• Provision of health care to an individual.
• Past, present or future payment for the provision of health care to an individual
• PHI is considered individually identifiable if it contains one or more of the following identifiers:
◦ Name
◦ Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
◦ All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89
◦ Telephone/Fax numbers
◦ Electronic mail addresses
◦ Social security numbers
◦ Medical record numbers
◦ Health plan beneficiary numbers
◦ Account numbers
◦ Certificate/license numbers
◦ Vehicle identifiers and serial numbers, including license plate number
◦ Device identifiers and serial numbers
◦ Universal Resource Locators (URLs)
◦ Internet protocol (IP) addresses
◦ Biometric identifiers, including finger and voice prints
◦ Full face photographic images and any comparable images
◦ Any other unique identifying number or characteristic that could identify an individual
• If the health information does not contain one of the above referenced identifiers and there is no reasonable basis to believe that the information can be used to identify an individual, it is not considered individually identifiable and; as a result, would not be considered PHI.
12.4 Information Security Policy
12.5 Information Technology Acceptable Use Policy
| Classification | Definition | Access Restrictions | Transmission | Storage | Disposal |
| Public | Information deemed to be public by legislation or policy. Information is in the public domain.Examples include annual reports, public announcements, the telephone directory, and specific categories of employee and student information. | No restrictions on access. | No special handling required. | No special safeguards required | Media can be recycled. |
| Internal Use | Information not approved for general circulation outside the College.Loss would inconvenience the Collegeor management; disclosure is unlikely to result in financial loss or serious damage to credibility.Examples include internal memos, minutes of meetings, internal project reports. | Access limited to employees and other authorized users. | No special handling required. | Access controlled by physical (locks) or electronic (passwords) safeguards. | Shredded or erased media. |
| Identifiable Information (PII) | Information that is available only to authorized persons.Loss could seriously impede the College’s operations; disclosure could have a significant financial impact or cause damage to the College’s reputation.Examples include specific categories of employee and student information, unit budgets, accounting information, and information protected by legal privilege. | Access limited to those with a demonstrated need to know and official approval. | Encryption mandatory for public networks.Encryption optional for internal networks. | Access controlled by physical (locks) or electronic (passwords or two-factor authentication) safeguards | Shredded, degaussed or destroyed. |
