Data Classification and Handling Procedure

Data Classification and Handling Procedure

1. Purpose

This procedure details the steps required to apply a data classification scheme to Wheaton College systems and data. Questions related to data classification should be addressed to the Chief Information Officer.

2. Scope

This procedure applies to all Wheaton College employees, students, and third parties who store, processes, transmit, or otherwise handle data on behalf of Wheaton College or access Wheaton College information systems.

3. Roles and Responsibilities

  • Data Stewards – Data Stewards are the individuals, roles, or committees with primary responsibility for information assets. They are responsible for identifying the institution’s information assets under their areas of responsibility, maintaining an accurate and complete information asset inventory (see sections 5.1 and 5.2 below), and ensuring that data is properly classified and handled per requirements defined in section 6 below. Data Stewards are accountable for ensuring that their information assets receive an initial classification upon creation and a re-classification whenever warranted. Re-classification of an information asset should be performed by the Data Steward whenever the information asset is significantly modified. Additionally, Data Stewards are responsible for reporting deficiencies in security controls to management.
  • Data steward responsibilities include, but are not limited to:
    • Approving and continuously overseeing access to the data entrusted to them. Users should be granted the minimum amount of access necessary to perform their job functions. Any more access would violate the Confidentiality, “Least Privilege”, and “Need to Know” principles. Any less access would impede their ability to perform their duties. Examples of activities include:
      • Approving appropriate access to data for a new hire, enabling the individual to perform their job duties.
      • Reviewing such access periodically to ensure the individual maintains appropriate access to data as their job duties or roles expand or change.
      • Requesting removal of access to data in the event a user’s role changes, as the user transfers to another department, or the user leaves the institution.
    • Ensuring the quality/integrity of the data in their stewardship. Examples of activities include:
      • Establishing and overseeing procedures for data input and processing necessary to support business functions.
      • Appropriately training staff who work with institutionally-owned data on how to handle such data based on job responsibilities (e.g., generating and manipulating reports, where and how to store data, to whom and how to send the data, and generally what not to do with data).
      • Alerting appropriate individuals (e.g., AIT, Institutional and/or departmental management, or Public Safety) when any issues are discovered related to the quality of data (e.g., incorrect data has been provided to a 3rd party, processed incorrectly, or input incorrectly into a repository; or an unexpected output is received).
      • Working with appropriate departments in order to:
        • Address any changes in the configuration of the data provided (e.g., a state or federal regulatory agency requires additional fields to be provided for reporting purposes)
        • Appropriately vet and onboard vendors or other 3rd parties to which data will be provided.
  • Chief Information Officer (CIO) – responsible for monitoring the implementation of this procedure and reporting to senior administration on any abnormal findings or exceptions.
  • All Employees, Third Parties and Students – responsible for handling all classified information (electronic or non-electronic) in accordance with section 5 below.
  • Academic and Institutional Technology (AIT) is the custodian of this procedure. They also will document standardized processes to assist data stewards with their responsibilities.

4. Definitions

Personally Identifiable Information (PII): the first name (or first initial) and last name, in combination with any one or more of the following data elements:

  • Government‐Issued identification number (e.g. permanent resident card, etc.)
    • Social Security Number (SSN) / Taxpayer Identification Number (TIN) / National Identification Number (NIN)
    • Passport number
    • Permanent resident card
  • Driver license (DL) number
  • Financial account number:
    • Payment card number (credit or debit)
    • Bank account number
  • Electronic Protected Health Information (ePHI)

Electronic Protected Health Information (ePHI): a combination of two or more data elements that uniquely identify an individual that would provide knowledge of medical information about the individual as defined by HIPAA.

College Financial Information: information about the institutions finances, investments or investment strategies that are not public knowledge.

Payment Card Industry (PCI) Data or “Cardholder” Data: account data associated with payment cards issued by the major payment brands (e.g., Visa, MasterCard, AMEX, Discover). It includes the Primary Account Number (PAN), expiration date and card verification code. This includes debit cards as well as credit cards.

Intellectual Property (IP): information about works, inventions or any other intellectual materials that give the institution a competitive advantage.
Confidentiality: Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity: guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity.

Availability: Ensuring timely and reliable access to and use of information.

5. Data Classification Procedure

5.1 Information Asset Discovery

Developing an institutional information asset classification scheme requires input from many departments and resources to help ensure all types of data and systems are accounted for. Information assets can be either physical (such as documents in filing cabinets, desks, vaults, or other storage units) or electronic (existing in systems, software, services, databases, websites, computers, or storage devices.

5.2 Information Asset Inventory

The information asset inventory shall include, at a minimum, the following fields:

Asset Name Data Steward Confidentiality Integrity Availability Classifcation
Banner Financials Controller Medium High Medium Private
Personnel Files Director HR High Medium Medium Restricted
  • Information Asset Name can be the common name known by the majority, however formal identification should be listed as well for a more accurate inventory.

NOTE: A broad grouping may result in applying controls unnecessarily as the information asset must be classified at the highest level necessitated by its individual data elements. For example, if Human Resources decides to classify all of their personnel files as a single information asset and any one of those files contain a name and social security number, the entire grouping would need to be protected with the controls for a classification of Restricted.

  • Data Stewards are responsible for determining the information’s classification and how and by whom the information asset will be used and should be an individual in a managerial position. If multiple individuals are found to be “owners” of the same information asset, an individual Data Steward should be designated by higher level of management.
  • Use the chart below to identify the confidentiality, integrity and availability grades of each information asset. Classification of data will be based on specific, finite criteria as identified in the Federal Information Processing Standard Publication 199 (FIPS-199).

Information Classification Categories:

Security Objective Low Moderate High

CONFIDENTIALITY
Consider impact of unauthorized disclosure on factors such as:

  • Health and Safety
  • Financial Loss
  • Public Trust
The unauthorized access or disclosure of information would have minimal or no impact to the institution, its critical functions, workforce, reputation, business partners and/or its students. The unauthorized access or disclosure of information would have only limited impact to the institution, its critical functions, workforce, reputation, business partners and/or its students The unauthorized access or disclosure of PPSI or other information would have a severe impact to the institution, its critical functions, workforce, reputation, business partners and/or its students

INTEGRITY
Consider impact of unauthorized modification or destruction on factors such as:

  • Health and Safety
  • Financial Loss
  • Public Trust
The unauthorized modification or destruction of information would have minimal or no impact to the institution, its critical functions, workforce, reputation, business partners and/or its students. The unauthorized modification or destruction of information would have only limited impact to the institution, its critical functions, workforce, reputation, business partners and/or its students. The unauthorized modification or destruction of information would have only limited impact to the institution, its critical functions, workforce, reputation, business partners and/or its students.

AVAILABILITY
Consider impact of untimely or unreliable access to information on factors such as:

  • Health and Safety
  • Financial Loss
  • Public Trust
The disruption of access to or use of information would have minimal or no impact to the institution, its critical functions, workforce, reputation, business partners and/or its students. The disruption of access to or use of information would have only limited impact to the institution, its critical functions, workforce, reputation, business partners and/or its students. The disruption of access to or use of information would have a severe impact to the institution, its critical functions, workforce, reputation, business partners and/or its students.

6. Data Handling Requirements

6.1 Data Classification Levels

Information assets are assigned a classification level based on the intended audience for the information, its value to the institution or individual and its sensitivity. If the information has been previously classified by regulatory, legal, contractual or company directive, then that classification will take precedence. The classification level then guides the selection of protective measures to secure the information. All data are to be assigned one of the following three classification levels:

Classification   Data Classficiation Description
Restricted Definition Restricted information is highly‐valuable, highly‐sensitive institutional or personal information. The level of protection is dictated externally by legal and/or contractual requirements. Access to restricted information must be limited to authorized employees, contractors and business partners with a specific business need.
Restricted Potential Impact of Loss Damage – SIGNIFICANT DAMAGE to the institution would occur if Restricted information were disclosed to unauthorized parties either internal or external to Wheaton College.
Impactwill have significant negative effect on Wheaton College’s competitive position or reputation, violate regulatory or contractual requirements, or pose an identity theft risk.
Private Definition Private information is highly‐valuable, sensitive institutional or personal information. The level of protection is dictated internally by Wheaton College. Private information is information originated or owned by Wheaton College, or entrusted to it by others. Private information may be shared with authorized employees, contractors, and business partners who have a business need, but may not be released to the general public due to the negative impact it might have on the institution or individuals.
Private Potential Impact of Loss Damage – MODERATE DAMAGE to the institution would occur if Private information were to become available to unauthorized parties either internal or external to Wheaton College.
Impact could negatively affect Wheaton College’s competitive position or reputation, violate legal or contractual requirements, or expose private information about individuals such as their grades or geographic location.
Public Definition Public information is information that has been approved for release to the general public and is freely sharable both internally and externally.
Public Potential Impact of Loss Damage – MINIMAL or NO DAMAGE to the institution would occur if Public information were to become available to parties either internal or external to Wheaton College.
Impact – would not damage Wheaton College’s reputation or a risk to business operations.

6.2 Data Labeling

Data labeling is the practice of marking an information system or document with its appropriate classification levels so others know how to appropriately handle the information. There are several methods for labeling information assets.

  • Printed: Information that can be printed (e.g., spreadsheets, files, reports, drawings, or handouts) should contain one of the following confidentiality symbols in the document footer on every printed page, or simply the words if the graphic is not technically feasible. The exception for labeling is with marketing material, since marketing material is primarily developed for public release.
  • Displayed: Restricted or Private information that is displayed or viewed (e.g., websites, presentations, etc.) should be labeled with its classification as part of the display, where feasible.
Restricted Access Limited to Authorized Personnel
Private Access Limited to Internal Use Only
Public Public Release Authorized

6.3 General Guidelines

  • Any information created or received by Wheaton College employees in the performance of their job at Wheaton College is classified Private by default, unless the information requires a higher classification of Restricted or is approved for release to the general public.
  • Treat information that is not assigned a classification level as Private at a minimum and use corresponding controls.
  • When combining information with different sensitivity levels into a single application or database, assign the most restrictive classification to the combined information asset. For example, if an application contains Private and Restricted information, the entire application is Restricted.
  • Restricted and Private information must never be released to the general public but may be shared with third parties, such as government agencies, business partners or consultants, when there is a business need to do so and the appropriate security controls are in place according to the level of classification.
  • You may not change the format or media of information if the new format or media you will be using does not have the same level of security controls in place. For example, you may not export Restricted information from a secured database to an unprotected Microsoft Excel spreadsheet.

6.4 Data Handling Requirements

Handling Controls Restricted Private Public
Non‐Disclosure Agreement (NDA) - NDA is required prior to access by authorized third-parties - NDA is recommended prior to access by authorized third-parties No NDA requirements
Cloud-based Storage (Box, Google Drive) - Only use solutions provided by AIT - Only use solutions provided by AIT No cloud-based storage requirements
Internal Network Transmission  
(wired and wireless)

- Encryption is required

- Unencrypted Instant Messaging is prohibited

- Unencrypted FTP is prohibited 

- Encryption is required.

- Unencrypted FTP is prohibited 
No special requirements 
Information Destruction
(hard drives, solid state drives, tapes, removable media, optical media and paper) 

- Hard Drives and other media – turn the device into AIT

- Paper – dispose of paper in departmental secure recycle bins or shred with a micro or crosscut shredder 

- Hard Drives and other media – turn the device into AIT

- Paper – dispose of paper in departmental secure recycle bins or shred with a micro or crosscut shredder 

- Hard Drives and other media – turn the device into AIT

- Paper – No Special Requirements  
External Network Transmission  
(wired & wireless) 

- Encryption is required

- Unencrypted Instant Messaging is prohibited
- Unencrypted FTP is prohibited

- Remote access should be used only when necessary and only with VPN and two‐ factor authentication when available 

- Encryption is recommended
- Unencrypted Instant Messaging is prohibited
- Unencrypted FTP is prohibited

- Remote access should be used only when necessary and only with VPN 
No special requirements 
Data at Rest  
(file servers, databases, archives, voice mails, etc.) 

- Encryption is required

- Logical access controls are required to limit unauthorized use

- Physical access restricted to specific individuals 

 

- Encryption is recommended

- Logical access controls are required to limit unauthorized use

- Physical access restricted to specific groups 

 

- Logical access controls are required to limit unauthorized use or modification.

- Physical access restricted to specific groups  
Mobile Devices
(smartphones, tablets, USB drives, etc.) 

- Encryption is required

- Remote wipe must be enabled, if possible.

- A complex PIN is required to access the device  

- Encryption is recommended

- Remote wipe should be enabled, if possible 

 
No special requirements  
Email 
(with and without attachments) 

- Encryption is required

- Do not forward 
- Encryption is recommended  No special requirements 
Physical Mail 

- Mark “Open by Addressee Only”

- Use “Certified Mail” and sealed, tamper‐ resistant envelopes for external mailings  

- Delivery confirmation is required

- Hand deliver internally 

- Use CPO for internal campus mailings

- Hand delivery is recommended over CPO mail

- Use US Mail or other public delivery systems and sealed, tamper‐ resistant envelopes for external mailings 

No special requirements 
Printer 

- Verify destination printer

- Attend printer while printing 

- Verify destination printer

- Retrieve printed material without delay 

No special requirements 
Removable Media (flash drives, external hard drives, CD’s, DVD’s, etc.)  - Do not store on any removable media  - Only use solutions provided by AIT  No special requirements 

6.5 Data Classification Examples

The following table depicts examples of sensitive data elements and their assigned classification:

Data Class Sensitive Data Elements Public Private Restricted
Student or Employee Personal Data Social Security Number (SSN)     X
  Employer Identification Number (EIN)     X
  Driver's License (DL) Number     X
  Financial Account Number     X
  Payment Card Number (Credit or Debit)     X
  Government-Issued Identification (e.g., passwport, permanent resident card, etc.)     X
  Electronic Protected Health Information     X
  Birth Date   X  
  First & Last Name X    
  Age   X  
  Phone and/or Fax Number X    
  Home Address   X  
  Gender   X  
  Ethnicity   X  
  Email Address X    
  Alumni Contact Information   X  
  Donor Information     X
Employee-Related Data Compensation & Benefits Data     X
  Medical Data     X
  Workers Compensation Claim Data     X
  Employee ID   X  
  Banner PIDM   X  
  Education Data   X  
  Dependent or Beneficiary Data   X  
Student-Related Data Academic Transcript   X  
  Class Schedule   X  
  Individual Grades   X  
  Major X    
  Degree X    
  Student ID Number   X  
  Advising Notes   X  
Marketing Data Business Plan (including marketing strategy)   X  
  Marketing Promotions Development   X  
  Internet‐Facing Websites (e.g., College website, social networks, blogs, promotions, etc.) X    
  News Releases X    
Network & Infrastructure Username & Password Pairs     X
  Public Key Infrastructure (PKI) Cryptographic Keys (public and private)     X
  Hardware or Software Tokens (multifactor authenticator)     X
  Sytem Configuration Settings   X  
  Regulatory Compliance Data   X  
  Internal IP Addresses   X  
  Privileged Account Usernames    X  
  Service Provider Account Numbers   X  
Operating Financial Data Institutional Financial Data   X  
  Budget‐Related Data   X  
  Trade Secrets (e.g., design diagrams, competitive information, etc.)    X  
  Electronic Payment Information (Wire Payment / ACH)   X  
  Paychecks   X  
  Bank Account Information     X
  Investment‐Related Activity   X  
  Account Information (e.g., stocks, bonds, mutual funds, money markets, etc.)      X

 

7. Exceptions

Any exceptions to this procedure shall be requested in writing, approved and documented as such by the Chief Information Officer.

8. Enforcement

Any employee found to have violated this procedure will be subject to Wheaton College disciplinary procedures, as defined in the employee handbook, faculty handbook or student handbook.

9. References

  • Data Classification Policy
  • Acceptable Use Policy
  • Asset Inventory
  • HIPAA
  • PCI DSS
  • Federal Information Processing Standard Publication 199 (FIPS-199)

10. Revision History

Version Data Author Revisions
3.00   GreyCastle Security Initial Draft
3.01 September 29, 2017 Wheaton & GCS General Revisions