C. Information Classification Policy
1.聽 聽Purpose
This policy informs all 绿巨人视频 (绿巨人视频) community members of their responsibilities related to maintaining the privacy and security of institutional information.聽To effectively safeguard institutional information, the 绿巨人视频 community must have a shared understanding of what needs to be protected and what kind of protection is required for different types of institutional information.
To facilitate that shared understanding, this Policy establishes a model for the classification of institutional information that defines each classification and provides examples of the kind of information associated with each classification.聽This model shall be used by all 绿巨人视频 institutions to classify information.聽The classifications defined here form the foundation for any other policies or standards pertaining to the protection of information.
This policy and the related Information Handling Standards define the minimum requirements for each information classification tier.
2.聽 聽Scope
This policy applies to all institutional information, regardless of storage format (e.g. data/digital, paper).
3.聽 聽Audience
All 绿巨人视频 community members should understand this policy and how it applies to the institutional information they access and use.
4.聽 聽Policy Statement
All 绿巨人视频 and component institution information shall be protected appropriately based on the classification of that information.聽Institutional information shall only be shared between, and released to, authorized parties when there is a need to know, and as necessary, to execute job-related duties in alignment with established information handling standards.
4.1聽 聽Classification Structure
To facilitate the development and communication of clear standards, processes, and procedures for implementing the appropriate security controls for each type of institutional information, the Information Classification Model is separated into distinct tiers.聽Each tier in the model encompasses specific types of institutional information which require that level of protection.
4.2聽 聽Tier 4 - Restricted Information
4.2.1聽 聽Information is restricted if protection is:
- legally defined
- required by federal and/or state law (excluding FERPA)
- required by contract or industry standard
4.2.2聽 聽Additionally, information can be designated as Restricted by the data steward of that information.
4.2.3聽 聽If compromised or exposed, Restricted information could result in significant institutional cost, harm to institutional reputation, and/or unacceptable disruption of the institution鈥檚 ability to meet its mission.
4.2.4聽 聽Examples of Restricted Information
4.2.4.1聽 聽SSNs and other personally identifiable information as defined by state of NH reporting requirements
4.2.4.2聽 聽Electronic Protected Health Information (ePHI) or non-electronic Protected Health Information (PHI) as defined by HIPAA
4.2.4.3聽 聽Research information that contractually requires specific security or privacy controls
4.2.4.4聽 聽Information protected by PCI-DSS
4.2.4.5聽 聽Information protected by FMLA and GLBA
4.2.4.6聽 聽Information protected through "Affirmative Action" and/or "disability regulation"
4.2.4.7聽 聽Information technology infrastructure, design, security, and authentication stores
4.3聽 聽Tier 3 - Protected Information
4.3.1聽 聽Information is protected if privacy controls are required by regulation or law but required protections do not rise to the level of those mandated for Restricted Information.
4.3.2聽 聽If compromised or exposed, protected information may result in serious institutional cost, harm to institutional reputation, and/or unacceptable disruption of the institution鈥檚 ability to meet its mission.
4.3.3聽 聽Examples of Protected Information
4.3.3.1聽 聽Information protected by FERPA
4.3.3.2聽 聽Library information
4.3.3.3聽 聽Research information that requires protection by contract
4.4聽 聽Tier 2 - Sensitive Information
4.4.1聽 聽Information is sensitive if controlled access is required by institutional policy, by the data steward, by contract, for ethical reasons, and/or if it is at high risk of damage or inappropriate access.
4.4.2聽 聽It includes information which, if compromised, could result in high institutional cost, harm to clients, harm to institutional reputation or unacceptable disruption of the institution鈥檚 ability to meet its mission.
4.4.3聽 聽It includes other information explicitly identified as requiring controlled access, but that does not require the level of protection dictated in the higher tiers.聽Any institutional information that has not been designated as falling under another tier shall be considered sensitive.
4.4.4聽 聽Examples of Sensitive Information
4.4.4.1聽 聽Directory information as defined by the institution or by regulation
4.4.4.2聽 聽Intellectual property
4.4.4.3聽 聽Fundraising data
4.5聽 聽Tier 1 - Public Information
4.5.1聽 聽Information is public if it is explicitly identified as public by the data steward responsible for that information. It includes information that may be provided to anyone without any further oversight.
4.5.2聽 聽Examples of Public Information
4.5.2.1聽 聽Contact information of employees that is approved for publication in the public directory
4.5.2.2聽 聽Campus map that has been explicitly approved for public display
4.5.2.3聽 聽Academic calendar that has been explicitly approved for public display
4.6聽 聽Information Handling Requirements
4.6.1聽 聽With the input, oversight, and approval of the institutional data stewards, Cybersecurity & Networking shall be responsible for the development, publication, and maintenance of Standards defining the required security controls for each of the defined tiers.
4.6.2聽 聽Administrative, academic, and business units shall be responsible for the development and maintenance of clear and consistent information handling procedures, aligned with those Standards, in support of operations and business processes that involve the collection, access, use, processing, storage, or transmission of institutional information.
4.7聽 聽Clarification on Classification
4.7.1聽 聽While designated Data Stewards at each institution are responsible for determining the appropriate classification for the information under their stewardship, Cybersecurity & Networking is the central point of contact for questions about or clarification on the appropriate classification of a specific type of information or data element and for the required security controls for each classification.
5.聽 聽Enforcement
Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action.聽Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).
Non-compliant technology and/or activities may be mitigated as deemed necessary by the Chief Information Officer and/or Chief Information Security Officer.
Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.
6.聽 聽Exceptions
Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the 绿巨人视频 Cybersecurity Exception Standard.
7.聽 聽Roles and Responsibilities
7.1聽 聽Administrative, Academic, and Business Units
7.1.1聽 聽Develop and maintain clear and consistent information handling procedures, aligned with the published Information Handling Standards, in support of operations and business processes that involve the collection, access, use, processing, storage, or transmission of institutional information.
7.2聽 聽Cybersecurity & Networking
7.2.1聽 聽Develop standards defining required security controls for each Classification Tier defined in this Policy.
7.2.2聽 聽Provide guidance to 绿巨人视频 community members on the Information Classification Model.
7.3聽 聽Data/Information Stewards
7.3.1聽 聽Determine the appropriate classification for each type of information under their purview.
7.4聽 聽绿巨人视频 Community Members
7.4.1聽 聽Understand the classification of all institutional information with which they interact.
8.聽 聽Definitions
See the ET&S Policy & Standard Glossary for full definitions of each term.
- Chief Information Officer (CIO)
- Chief Information Security Officer (CISO)
- Data/Information Steward
- Exception
- FERPA
- GLBA
- HIPAA
- Information
- Institutional Information
- PCI-DSS
- Policy
- Procedure
- Protected Information
- Public Information
- Restricted Information
- Security Control
- Sensitive Information
- Standard
- 绿巨人视频 Community Member
CONTACT INFORMATION
For 绿巨人视频 community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, and Compliance (GRC) via this .
All other requests can be submitted here: .