Data Classification Policy

General Policy: All College data is classified into defined access levels. Data may not be accessed without proper authorization. The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives.

Scope: This policy is applicable to all College students, faculty and staff, contractors, volunteers, students and to all others granted use of North Iowa Area Community College information resources. Every user of these resources has a responsibility toward the protection of this information; some offices and individuals have very specific responsibilities. This policy refers to all College information resources whether individually controlled or shared, stand-alone or networked. It applies to all data sources found on equipment owned, leased, operated, contracted, by the College, or equipment used by College staff in their travel or home environments. This includes laptops, personal digital assistants, telephones, wireless devices, laptops, personal computers, workstations, minicomputers and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.

Policy: Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The proper classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All College data should be classified into one of three sensitivity levels, or classifications:

A. Confidential (High Sensitivity)

Data should be classified as Confidential when it could seriously damage the mission, safety or integrity of the College, its staff or its constituents. Such data should not be copied or removed from the College’s operational control without authorized permission. High sensitivity data is subject to the most restricted distribution and must be protected at all times. Examples of High Sensitivity data include data protected by state or federal privacy regulations, such as: Social Security numbers, credit card numbers, bank account numbers, student records and medical records. High Sensitivity data may also include, but is not limited to, data associated with investigations, bids prior to award, personnel files, trade secrets, safety and security plans, appraisals of real property, constituent records, academic records, contracts during negotiation and risk or vulnerability assessments. These public records shall be kept confidential pursuant to Iowa Code section 22.7.50.

Confidential data should be protected to the highest possible degree as is prudent or as is required by law. Such guidelines include, but are not limited to the following:

  • When stored in an electronic format, must be protected with strong passwords and stored on servers that have protection or encryption measures applied in order to protect against loss, theft, unauthorized access and unauthorized disclosure.
  • Must not be disclosed to parties without explicit authorization froma vice president.
  • Must be stored only in a locked drawer or room or an area where access is controlled by a guard, cipher lock, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
  • When sent via fax must be sent only to a previously established and used address or one that has been verified as using a secured location.
  • Must not be posted on any public website.
  • Must be destroyed when no longer needed by shredding (for paper records) or degaussing/erasure/physical destruction (for electronic records).

B. Sensitive (Internal Use, Private, Medium Sensitivity)

Data should be classified as Sensitive when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College or its affiliates. By default, all College data that is not explicitly classified as Public or Confidential should be treated as Sensitive data. Data in this category is not routinely distributed outside the College. It may include, but is not limited to non-Confidential data contained within: internal communications, interim financial reports, minutes of meetings and internal project reports.  A reasonable level of security controls should be applied to Sensitive data, such as:

  • Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure.
  • Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
  • Must not be posted on any public website.
  • Must be destroyed when no longer needed by shredding (for paper records) or degaussing/erasure/physical destruction (for electronic records).

C. Public (General Use, Low Sensitivity)

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the College and its affiliates. Examples of Public data include press releases, annual reports, course information, publicly accessible web pages and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent un-authorized modification or destruction of such data.

Classifications of data should be performed by an appropriate Data Owner. Data Owners are director-level employees who oversee the lifecycle of one or more sets of Institutional Data.

Roles and Responsibilities:

Chief Information Officer

Has overall responsibility for the security of the College’s information assets and is responsible for disseminating and providing interpretation of this and other policies related to security. Serves as the chief information security officer. Responsibilities of the CIO include:

  • Ensuring that the College's information practices and policies comply with the Open Records statute, Chapter 22 of the Iowa Code, including the formulation of any response of the College to a formal request for records under the statute.
  • Ensuring that appropriate data classification policies are delegated throughout the College to various College services, departments and other units.
  • Acting as Data Custodian for all College information not otherwise assigned.
  • Ensuring adequate security technology is applied to information resources in keeping with their classification.
  • Ensuring that the College’s data classification policies and practices meet all Federal, State and College data security policies or are complied with on a timely and prudently acceptable basis.
  • Annually reviewing, in conjunction with the Data Custodians, that all data classifications remain relevant, are complete and any required changes are being adequately addressed on a timely basis.
  • Ensuring that a recording of these processes is adequately and effectively maintained.

Data Trustees

Data Trustees are senior college officials or their designees who have planning, policy-level and management responsibility for data within their functional areas. Data Trustees responsibilities include:

  • Assigning and overseeing Data Owners
  • Overseeing the establishment of data policies in their areas
  • Determining legal and regulatory requirements for data in their areas
  • Promoting appropriate use and data quality

Data Owners

Data Owners are college directors having direct operational-level responsibility for the management of one or more types of data. Data Owners are assigned by the Data Trustee and are generally division chairs and directors. Data Owner responsibilities include:

  • The application of this and related policies to the systems, data, and other information resources under their care or control
  • Assigning data classification labels using the college's data classification methodology
  • Identifying and implementing safeguards for restricted data
  • Communicating and providing education on the required minimum safeguards for protected data to authorized data users and data custodians

In cases where multiple data owners collect and maintain the same restricted data elements, the data owners must work together to implement a common set of safeguards.

Data Custodians

Data Custodians are Information Technology or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to college data. Data Custodians must be authorized by the appropriate Data Owner or the CIO. Data Custodian responsibilities include:

  • Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody
  • Complying with applicable college computer security standards
  • Managing Data Consumer access as authorized by appropriate Data Owners
  • Following data handling and protection policies and procedures established by Data Owners and Information Security

Data Consumers

Data Consumers are the individual college community members who have been granted access to college data in order to perform assigned duties or in fulfillment of assigned roles or functions at the college. This access is granted solely for the conduct of college business. Data Consumer responsibilities include:

  • Following the policies and procedures established by the appropriate Data Owner and Chief Information Officer
  • Complying with federal and state laws, regulations, and policies associated with the college data used
  • Implementing safeguards prescribed by appropriate Data Owners for Restricted Data
  • Reporting any unauthorized access or data misuse to Information Security or the appropriate Data Owner for remediation

 

Violation of Policy: The College Information Security Officer must be notified in a timely manner if data classified as Confidential is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the College's information systems has taken place or is suspected of taking place.

Violation of this policy may subject a user to disciplinary action under appropriate College disciplinary procedures. The College may take such action as necessary, in its discretion, to address any violation(s) under this policy.

 

CHAPTER:

ADMINISTRATION

NUMBER

2.21

 

Data Classification Policy 

LAST REVIEWED

LAST REVISED

DATE ADOPTED

May 31, 2023

May 2013

December 2010
Print Article