շձ
The proposed ̾Ƶ Information Classification Policy replaces the existing ̾Ƶ Data Classification Policy as well as existing policy provisions from institution level policies ensuring all ̾Ƶ institutions and community members are using the same classification structure for institutional information.
You can review the proposed ̾Ƶ Information ClassificationPolicy here.
This Policy is currently open for Public Comment. You can submit feedback, questions, or comments .
MAPPING TO CURRENT POLICIES
The following existing policies will be replaced in full by the new ̾Ƶ Information Classification Policy.A complete mapping of each institution's existing policy to the new Policyis provided at the links below.
- ̾Ƶ Data Classification Policy (all institutions)
- PSU – Sensitive and Confidential Information Policy (FIN-ITS-002)
- KSC – Data Access Policy
A comprehensivemap of allimpacted institutional policiesto the new Policy can be foundhere.
(This is thesame mapping information as the institutional maps, just in aggregate.)
DETAILED EXPLANATION OF CHANGES
There are four fundamental changes to the existing ̾Ƶ Policy being proposed:
Data to Information
We are proposing that the name of the policy be changed to ̾Ƶ Information Classification Policy. Using the word “information”, which is inclusive of, but not limited to data aligns the naming of the policy more clearly with its intent and the way it should be implemented – classification, and the handling requirements associated with the different tiers of classification, is applicable to all institutional information, regardless of its form. Using the word “data” can imply that the policy only applies to information stored digitally.
This does not change anything demonstrably at any institution as most non-digital information is already treated as in-scope for classification.
Consistent Terminology and Classification
We are proposing that the tiered classification structure outlined in the new Policy be implemented and enforced at all institutions. Currently, the ̾Ƶ Data Classification Model is used/implemented to varying degrees across the four institutions. Moving forward, all institutions need to adopt/implement the same Policy for information classification and the same Standards for information handling.
This represents a change for all institutions and is necessary to support the consolidation of information technology resources, services, and functions at the system-level.
Expansion to Five Classifications
We are proposing that the existing classification structure, which includes three classifications, be expanded to five classification “tiers”. This represents a change for all institutions and is intended to make it easier to define and enforce specific information handling requirements aligned with regulation and industry standard. The use of Tiers is intended to provide a quick visual reference to indicate the order of the classifications (e.g., Tier 5 Confidential is more stringent that Tier 3 Protected).
The proposal is to split the “RESTRICTED” classification, which currently includes any information that is protected by regulation, including FERPA, GLBA, HIPAA, and PCI-DSS, into three distinct classification tiers outlined below:
- TIER 5–CONFIDENTIAL:Includes HIPAA, PCI-DSS, and some Research information based on contractual requirements
- TIER 4-RESTRICTED: Includes SSN, FLMA, GLBA, other protected personally identifiable information, information technology information, and some Research information based on contractual requirements
- TIER 3 – PROTECTED: Includes FERPA and some Research information based on contractual requirements
This change is being proposed to make is easier to define and document clear information handling Standards for each Tier. By moving FERPA and HIPAA/PCI to new, separate tiers, we can more closely align the security controls required to safeguard each type of information, without imposing any of the more onerous security controls, required to ensure compliance with other regulations, on the broader academic community.
This represents a demonstrable change for all institutions.
Documented Information Handling Standards
To better support the ̾Ƶ community in understanding their information handling responsibilities, we will be documenting Information Handling requirements for each Tier as a Cybersecurity Standard. This accomplishes two goals 1) further reinforcing consistency in data handling across all ̾Ƶ institutions and 2) providing documented standards that can be used to demonstrate compliant practices for audits and assessments.
In this instance a “Standard” is a type of policy document that provides all the detailed information needed to comply with a policy or with part of a policy. For example, the Information Classification Policy requires that “All ̾Ƶ and component institution information shall be protected appropriately based on the classification of that information.” The individual Information Handling Standards for each classification tier define the specific security controls that equate to “protected appropriately”. Each Information Handling Standard will define and document things like where information can be stored, how it can be shared, who it can be shared with, if it can be emailed, etc.
These Standards are being documented with the help of the appropriate data stewards at each institution and will become effective at the same time as the new Policy. Currently, we plan to develop the following Standards in support of this Policy:
- Public and Sensitive Information Handling Standard
- Protected Information Handling Standard
- Restricted Information Handling Standard
- Confidential Information Handling Standard
This represents a demonstrable change, to varying degrees, for all institutions as some detailed information handling requirements were defined in institutional policies.
ADDITIONAL SECTIONS ADDED
While much of the content in the new ̾Ƶ Information Classification Policy can be mapped to provisions in the ̾Ƶ Data Classification Policy, the following new sections were added to this Policy.
New Section– 4.7 Information Handling Requirements
The new Policy adds a section that makesCybersecurity & Networking, with oversight by the institutional data stewards,responsiblefor defining, documenting, and publishinginformation handling requirements for each classification tier.
Standards related to this section:
- Public and Sensitive Information Handling Standard
- Protected Information Handling Standard
- Restricted Information Handling Standard
- Confidential Information Handling Standard
Note: All four Information Handling Standards will be available for review in late February/early March 2021.
New Section– 4.8 Clarification on Classification
The new Policy adds a section that makesCybersecurity & Networking the ̾Ƶ community's central point of contact for questions about classification. The intention of this provision is to make it as simple as possible for those with questions to know who to contact to get answers.
New Section– 5 Enforcement
The new Policy adds an Enforcement section that mirrors all the other Technology/Cybersecurity Policies.
New Concept – 7 Exceptions
The new Policy introduces the concept of Policy exceptions and directs community members to the detailed requirements related to these exceptions provided in theCybersecurity Exception Standard. This concept, section, and Standard reference will be consistent across all Technology/Cybersecurity Policies and the related Standards.
Standards related to this section:
New Concept – 8 Roles & Responsibilities
The new Policy adds a section to listRoles & Responsibilities defined in the Policy provisions.