/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies-local.json

/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies.json

Data Classification Policy

Purpose

Data protection is a responsibility shared by all Keuka College community members. This document outlines classification categories for data and the responsibilities of Keuka College with respect to each classification. The purpose of this policy is to define the data classification requirements for information assets and to ensure that data is secured and handled according to its sensitivity and the impact that theft, corruption, loss, or exposure would have on the institution and its constituents. This policy was developed to assist Keuka College and provide direction to the institution regarding identifying, classifying, and handling information assets.

Scope

The scope of this policy includes all information assets governed by Keuka College. All faculty, staff, and third parties who have access to or utilize information assets to process, store and/or transmit information for or on behalf of Keuka College shall be subject to these requirements.

Policy

Keuka College established the requirements enumerated below regarding the classification of data to protect the information of the institution and its constituents.

Governance Roles and Responsibilities

Multiple roles have responsibilities relevant to data classification. In particular, Data Stewards hold primary responsibility for:

1. Identifying the institution’s information assets under their areas of supervision; and
2. Maintaining an accurate and complete inventory for data classification and handling purposes.
3. Data Stewards are accountable for ensuring that their information assets receive an initial classification upon creation and a reclassification whenever reasonable. The IT Department will support reclassification efforts as requested by a Data Steward.

The IT Department will be responsible for:

1. Identifying the appropriate storage for electronic files as it pertains to the data classification type and making the Data Stewards aware of these platforms.
2. Ensuring the storage platforms have the appropriate settings for compliance with various regulatory standards.

Data Classification

Data classifications are used to identify data into broad categories grouped by the relative strength of security controls.

Keuka College establishes the following data classifications:

Non-Public Information

Confidential

Information whose loss, corruption, or unauthorized disclosure could impair operations or expose the institution to potential criminal or civil liability. Common examples include, but are not limited to, details of personnel matters, unapproved or non-public policy, process, or organizational changes, and legal proceedings. Data mishandling could result in civil liability or severe financial and/or reputational loss.

Restricted

Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial, or reputational harm to the institution, employees, or the constituents the College serves. Common examples include, but are not limited to, FERPA information (non-directory), passports, social security numbers, driver's licenses, banking information, health information, payment card information, and information systems’ authentication data. Data mishandling could result in federal, state, and/or international liability, civil liability, identity or financial fraud, extreme financial loss, or the unavailability of critical systems.

Sensitive

Information whose loss, corruption, or unauthorized disclosure would cause limited personal, financial, or reputational harm to the institution, employees, or the constituents the College serves. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, contracts with specific partnership arrangements included, and process documentation for essential business processes. Data mishandling could result in limited identity theft, minor financial and/or reputational loss, or reduced ability to maintain business continuity.

Public Information

Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial, or reputational harm to the institution, employees, or the constituents the College serves. Common examples include but are not limited to sales and marketing strategies, promotional information, published research data, and policies.

Classification Process

Constituents interact with information assets according to their prescribed classification determined by their role with the College. Employees and others handling such information are responsible for following applicable policies to ensure appropriate access controls, labeling, retention, and destruction methods. Specific methods of retention and destruction can be found in the Record Retention Policy.

Information systems managed by Keuka College that store, process, or transmit institutional data shall be protected using security controls that are reasonable and appropriate. Security controls will be implemented by the IT Department.

Individuals authorized to access institutional data shall adhere to the guidelines set forth in the documentation approved by the IT Department and any system/data-specific requirements imposed by the relevant Data Steward. No unauthorized use, handling, transmission, or other forms of dissemination of institutional data is permitted.

Reclassification

The responsible Data Stewards will re-evaluate classified data assets at least once per year. Reclassification of data assets should be considered whenever the data asset is modified, retired, or destroyed.

Regular review of classifications is required on a periodic basis and may result in a reclassification.

Classification Inheritance 

Logical or physical assets that "contain" a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

Enforcement

Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action both within and outside of the institution. The institution may temporarily suspend or block access to an account before the initiation or completion of such procedures when it appears reasonably necessary to protect the integrity, security, or functionality of the institution or other computing resources or to protect the institution from liability.

Exceptions

Exceptions to this policy must be approved in advance by the Associate Vice President of Technical Solutions at the request of the responsible Data Steward. Approved exceptions are subject to review.