To define the college’s data classification categories consistent with the minimum standards for the classification level as described in related information security standards, procedures, and guidelines.
This policy applies to all members of the college’s community as well as to external vendors and contractors who receive and maintain collections of college enterprise data.
All enterprise data stored on college systems, or non-college owned resources where college business is transacted, must be classified into one of the three categories defined by this policy and detailed below in the classification matrix. Based on this matrix, data stewards, data custodians, and data consumers/users are required to implement appropriate administrative, technical, and physical controls to protect the data in keeping with the classification of that data.
When information from multiple classifications is co-located on the same system without effective means of isolation, or within the same repository, database, archive, or record, the minimum-security controls of the category representing the highest risk must be applied. As an example, if names and social security numbers were included in meeting minutes, then Category I protections would be required for that document.
These requirements exist in addition to all other college policies and federal and state regulations governing the protection of enterprise data. Compliance with this requirement alone will not ensure that data will be properly secured. Rather, data classification should be considered an integral part of a comprehensive information security plan.
Note: Consistent with the notion of incidental use (use of college resources such as email not directly related to job duties), personal data belonging to employees stored on a college resource is not considered enterprise data.
(Examples are not an exhaustive list of the classification’s data.)
Personally Identifiable data includes information whose unauthorized access or loss could seriously or adversely affect SUNY Empire State College; an authorized, contracted partner; specific individuals, or the public. Security breaches of this information are subject to the NY State Information Security and Breach Notification Act and other federal, state, and industry rules and regulations.
Regulated data includes information subject to Family Educational Rights and Privacy Act (FERPA) or other federal, state, or business regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Red Flags Rule) that require specific levels of protection to prevent its unauthorized modification or use.
Internal Use Data
Category II includes non-public, internal use information that is not subject to state or federally mandated protections.
This includes data exempt from disclosure in NY State’s Freedom of Information Law (FOIL), as well as information that would normally require a FOIL request for public release.
All public data
The Data Governance committee will be responsible for reviewing and updating this policy as necessary. This committee shall be composed of the appropriate people from Enterprise Systems and Infrastructure (ESI), as well as from compliance, and data governance.
A team from ESI will approve how enterprise data is stored, processed and transmitted by the college and by third-party agents of the college. This approval will be handled through review of data flow documentation maintained by a data custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how enterprise data is or will be stored, processed and transmitted.
Data stewards are college administrators whose areas have responsibility for managing a segment of the college's enterprise data resources. Responsibilities of a data steward include the following:
A data custodian is an employee of the college who has operational responsibility over enterprise data. In many cases, there will be multiple data custodians. An enterprise application may have teams of data custodians, each responsible for varying functions. A data custodian is responsible for the following:
A data consumer/user is a person that has been authorized access to specific enterprise data. Data consumers/users are required to abide by all data classification rules defined by both this policy the data custodian.
If a data steward, data custodian or data consumer/user discovers a security breach of any kind it must be immediately reported to the technology service desk in ITS. The ESI team will take immediate action to mitigate the breach and begin forensic discovery to determine its cause.
Violations of this policy by employees or students may result in immediate suspension or revocation of information technology resources privileges and/or disciplinary action. Additionally, violations of state and/or federal laws in the use of the enterprise data may also result in criminal prosecution and/or civil liability.
FERPA; HIPPA; FOIL; GLBA; Red Flags Rule; NYS Information Security Polices (https://www.its.ny.gov/eiso/policies/security)