Data Classification Policy
The purpose of this policy is to define the data classification requirements for Wheaton College information assets and to ensure that data is secured and handled according to its sensitivity and impact that theft, corruption, loss or exposure would have on the institution. This policy provides direction regarding identification, classification and handling of information assets.
The scope of this policy includes all information assets owned or managed by Wheaton College. All Wheaton College personnel and third parties who have access to or utilize the institution’s information assets are subject to these requirements. This includes data at rest, in transit or being processed, in any format on any media, and in any location.
Wheaton College has established the requirements enumerated below regarding the classification of data to protect the institution’s information.
3.1 Data Stewardship and Accountability
Data Stewardship is the responsibility of managing and caring for the data with which Wheaton College has been entrusted in order to carry out its mission, daily activities and regulatory and legal responsibilities. This includes diligently working to ensure the Confidentiality, Integrity and Availability of Wheaton College-owned and managed data.
Data Stewards are the individuals, roles, or committees with primary responsibility for information assets. They are responsible for identifying the institution’s information assets under their areas of responsibility and maintaining an accurate and complete inventory for data classification and handling purposes.
Data Stewards are accountable for ensuring that their information assets receive an initial classification upon creation and a re-classification whenever warranted. Re-classification of an information asset should be performed by the Data Steward whenever the information asset is significantly modified. Additionally, Data Stewards are responsible for reporting deficiencies in security controls to management.
See the Data Classification and Handling Procedure for details about the data inventory and examples of other data steward responsibilities.
3.2 Data Classification
Classification of data will be performed by the Data Steward based on the specific, finite criteria as identified in the Federal Information Processing Standard Publication 199 (FIPS-199) for confidentiality, integrity and availability. Refer to the Data Classification and Handling Procedure to determine how data should be classified. Data classifications for Wheaton College are defined as follows:
- RESTRICTED – Information assets whose loss, corruption, or unauthorized disclosure would cause financial loss or would result in regulatory or government sanctions such as violations of or associate private information. Common examples include, but are not limited to social security numbers, banking and health information, payment card information, personnel records and information systems’ authentication data.
- PRIVATE – Information assets whose loss, corruption, or unauthorized disclosure would not seriously impair business or educational functions but is otherwise private. Examples include, but are not limited to final course grades, building plans, protected data related to research, financial statements, contracts and legal information.
- PUBLIC – Information assets whose loss, corruption, or unauthorized disclosure would not impair business functions. Examples include, but are not limited to academic recruiting and marketing strategies, web site content and promotional information.
3.3 Data Handling
Information assets must be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods are described in the Data Classification and Handling Procedure.
A re-evaluation of classified information assets must be performed at least once per year by the responsible Data Steward. Re-classification of information assets should also be considered whenever the information asset is modified, archived or destroyed.
3.5 Classification Inheritance
Logical or physical assets that contain an information asset inherit the classification from the information asset(s) contained therein. The inherited classification shall be the most restrictive classification of all contained assets. For example, if the asset contains both Restricted and Private data, the asset classification is Restricted.
Users who violate this policy may be denied access to the institution’s information and/or technology resources and may be subject to penalties and disciplinary action both within and outside of the institution. The institution may temporarily suspend or block access to an account prior to the initiation or completion of such procedures when it appears reasonably necessary to do so in order to protect the integrity, security, or functionality of the institution or other technology resources, or to protect the institution from liability.
Exceptions to this policy must be approved in advance by the Chief Information Officer at the request of the responsible Data Steward. Approved exceptions must be reviewed and re-approved by the Data Steward annually.
- Federal Information Processing Standard Publication 199 (FIPS-199)
- NIST Special Publication 800-53 r4
7.0 Related Policies
- Acceptable Use Policy
- Information Security Policy (to be drafted)
- Data Classification and Handling Procedure
8.0 Policy Authority
This policy is issued by the Chief Information Officer for Wheaton College.
9.0 Effective Date
This policy is is effective starting October 1, 2017.
10.0 Revision History
|1.00||June 2, 2017||GreyCastle Security||Original|
|1.01||September 29, 2017||Wheaton & GCS||General Revisions|