Enterprise Data Classification Policy

Sponsor:

 Information Technology Services (ITS)

Contact:

 Data Governance Lead(s) and Information Security Lead(s)

Category:

 Information Security and Technology

Number:

 1000.018

Effective Date:

 2017/06/08

Implementation History:

 June 8, 2017

Keywords:

 Category, classification, controls, data consumers/users, data custodian, data steward, disclosure, enterprise data, protected, risk, security

Background Information:

Purpose

To define the university’s data classification categories consistent with the minimum standards for the classification level as described in related information security standards, procedures, and guidelines.

Definitions

  1. Category I: This is protected data with high/medium risk from disclosure. This category covers personally identifiable data that includes information whose unauthorized access or loss could seriously or adversely affect the university; an authorized contract partner, specific individuals or the public. This data is subject to state or federally mandated protections, as well as industry rules and regulations.
  2. Category II: This is internal use data with medium/low risk from disclosure. This category covers nonpublic, internal use information that is not subject to state or federally mandated protections.
  3. Category III: This is all public data, which has no risk from disclosure.
  4. Data Consumers/Users: Employees or agents of the university who access enterprise data in performance of their assigned duties.
  5. Data Custodians: University officials and their staff who have operational-level responsibility for the capture, maintenance, dissemination, and storage of enterprise data.
  6. Data Stewards: University administrators whose areas have responsibility for managing a segment of the university’s enterprise data resources.
  7. Enterprise Data:Enterprise data is a subset of the university’s information resources and administrative records and includes any information in print, electronic, or audio-visual format that meets the following criteria:
    • Acquired and/or maintained by university employees in performance of official administrative job duties;
    • Created or updated via use of a university enterprise system or used to update data in an enterprise system;
    • Relevant to planning, managing, operating, or auditing a major function of the university;
    • Referenced or required for use by more than one organizational unit; and
    • Included in official administrative reports or official university records.

Statements

This policy applies to all members of the university’s community as well as to external vendors and contractors who receive and maintain collections of university enterprise data.

Enterprise Data Classification and Security Controls Requirements

All enterprise data stored on university systems, or non-university owned resources where university business is transacted, must be classified into one of the three categories defined by this policy and detailed below in the classification matrix. Based on this matrix, data stewards, data custodians, and data consumers/users are required to implement appropriate administrative, technical, and physical controls to protect the data in keeping with the classification of that data.

When information from multiple classifications is co-located on the same system without effective means of isolation, or within the same repository, database, archive, or record, the minimum-security controls of the category representing the highest risk must be applied. As an example, if names and social security numbers were included in meeting minutes, then Category I protections would be required for that document.

These requirements exist in addition to all other university policies and federal and state regulations governing the protection of enterprise data. Compliance with this requirement alone will not ensure that data will be properly secured. Rather, data classification should be considered an integral part of a comprehensive information security plan.

Note: Consistent with the notion of incidental use (use of university resources such as email not directly related to job duties), personal data belonging to employees stored on a university resource is not considered enterprise data.

Classification Matrix

(Examples are not an exhaustive list of the classification’s data.)

Data Classification

Disclosure Risk

Definition

Examples

Category I:

Protected Data

High/Medium

Personally Identifiable data includes information whose unauthorized access or loss could seriously or adversely affect SUNY Empire State University; an authorized, contracted partner; specific individuals, or the public. Security breaches of this information are subject to the NY State Information Security and Breach Notification Act and other federal, state, and industry rules and regulations.

Regulated data includes information subject to Family Educational Rights and Privacy Act (FERPA) or other federal, state, or business regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Red Flags Rule) that require specific levels of protection to prevent its unauthorized modification or use.

Statutory Data

  • Social Security Number
  • Driver's License Number
  • Department of Motor Vehicle State-issued Non-drivers ID Number
  • Bank/Financial Account Number
  • Credit/Debit Card Number
  • Electronic Protected Health Information-HIPAA
  • FERPA-protected data
  • Gramm Leach Bliley Act (GLBA) data and other data protected by law or regulation
  • Passport Number
  • Department of Defense (DOD) contracted “Applied Research”
  • Electronic Credentials (Personal Identification Numbers (PINs), Passwords, Tokens, etc.)
  • Law Enforcement Active Investigation Data

Declared Data

  • System Administrator/ Net ID Authentication Credentials
  • Documents protected by Attorney Client Privilege

Category II:

Internal Use Data

Medium/Low

Category II includes non-public, internal use information that is not subject to state or federally mandated protections.

This includes data exempt from disclosure in NY State’s Freedom of Information Law (FOIL), as well as information that would normally require a FOIL request for public release.
  • Other HR Employment Data
  • Law Enforcement Post
  • Investigation Data
  • Public Safety Information
  • IT Infrastructure Data
  • Collective Bargaining/Contract Negotiation Data
  • Trade Secret Data
  • Protected Data Related to Research
  • University Intellectual Property
  • University Proprietary Data
  • Data protected by non-disclosure agreements
  • University Financial Data
  • Empire State University Employee ID
  • Meeting Minutes
  • Administrative process data
  • Data about decisions that affect the public
  • Licensed Software
  • Inter- or Intra-Agency Data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination; external audit data

Category III:

Public Data

None

All public data
  • General access data, such as that on unauthenticated portions of esc.edu

Information Security Roles and Responsibilities

The Data Governance committee will be responsible for reviewing and updating this policy as necessary. This committee shall be composed of the appropriate people from Enterprise Systems and Infrastructure (ESI), as well as from compliance, and data governance.

Enterprise Systems and Infrastructure (ESI)

A team from ESI will approve how enterprise data is stored, processed and transmitted by the university and by third-party agents of the university. This approval will be handled through review of data flow documentation maintained by a data custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how enterprise data is or will be stored, processed and transmitted.

Data Steward

Data stewards are university administrators whose areas have responsibility for managing a segment of the university's enterprise data resources. Responsibilities of a data steward include the following:

  • Determining the appropriate criteria for obtaining access to enterprise data - A data steward is accountable for who has access to enterprise data. This does not imply that a data steward is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a data custodian in conjunction with Information Technology Services (ITS). A data steward may decide to review and authorize each access request individually or a data steward may define a set of rules that determine who is eligible for access based on business function, support role, etc. These rules should be documented in a manner that allows little or no room for interpretation by a data custodian. If no rule is present for a data set, the data custodian must consult the steward of the data before granting access or releasing data.
  • Understanding how enterprise data is stored, processed and transmitted by the university and by third party agents of the university - While the ESI team is responsible for approving how enterprise data is stored, processed and transmitted based on SUNY's Information Security policy, it is important for the data steward to understand these important standards in order to ensure reasonable and appropriate security controls are implemented. This can be accomplished through review of data flow documentation maintained by a data custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how data is or will be stored, processed and transmitted.
  • Understanding risk tolerance and accepting or rejecting risk related to security threats that impact the confidentiality, integrity and availability of enterprise data - Information security requires a balance between security, usability and available resources. Risk management plays an important role in establishing this balance. Understanding what classifications of data are being stored, processed and transmitted will allow data stewards to better assess risks. Understanding legal obligations and the cost of non-compliance will also play a role in this decision-making. Both the information security team and SUNY counsel can assist data stewards in understanding risks and weighing options related to data protection.
  • Understanding how enterprise data is governed by university policies, state and federal regulations, contracts and other legally binding agreements - Data stewards should understand whether or not any university policies govern their enterprise data. Data stewards are responsible for having a general understanding of legal and contractual obligations surrounding enterprise data. SUNY counsel and the SUNY Information Security policy can assist data stewards in gaining a better understanding of legal obligations.

Data Custodian

A data custodian is an employee of the university who has operational responsibility over enterprise data. In many cases, there will be multiple data custodians. An enterprise application may have teams of data custodians, each responsible for varying functions. A data custodian is responsible for the following:

  • Understanding and reporting on how enterprise data is stored, processed and transmitted by the university and by third-party agents of the university - Understanding and documenting how enterprise data is being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate data steward. Transmitting, storing and processing of data should be in conjunction with ITS.
  • Implementing appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of enterprise data - ESI will implement reasonable and appropriate security controls for the classifications of data. Contractual obligations, regulatory requirements and industry standards also play in important role in implementing appropriate safeguards. Data custodians should work with data stewards to gain a better understanding of these requirements. Data custodians should also document what security controls have been implemented and where gaps may exist in current controls. This documentation should be made available to the appropriate data steward.
  • Documenting and disseminating administrative and operational procedures to ensure consistent storage, processing and transmission of enterprise data - Documenting operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data custodians should document as many repeatable processes as possible. This will help ensure that university data is handled in a consistent manner. This will also help ensure that safeguards are being effectively leveraged.
  • Provisioning and de-provisioning access to enterprise data as authorized by the data steward - Data custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate data steward. As specified above, standard procedures for provisioning and de-provisioning access should be documented and made available to the appropriate data steward.
  • Understanding and reporting on security risks and how they impact the confidentiality, integrity and availability of enterprise data - Data custodians should have a thorough understanding of security risks impacting their enterprise data. Security risks should be documented and reviewed with the appropriate data steward so that the steward can determine whether greater resources need to be devoted to mitigating these risks. The ESI team can assist data custodians with gaining a better understanding of their security risks.

Data Consumer/User

A data consumer/user is a person that has been authorized access to specific enterprise data. Data consumers/users are required to abide by all data classification rules defined by both this policy the data custodian.

In the Event of a Breach

If a data steward, data custodian or data consumer/user discovers a security breach of any kind it must be immediately reported to the technology service desk in ITS. The ESI team will take immediate action to mitigate the breach and begin forensic discovery to determine its cause.

Violation of this Policy

Violations of this policy by employees or students may result in immediate suspension or revocation of information technology resources privileges and/or disciplinary action. Additionally, violations of state and/or federal laws in the use of the enterprise data may also result in criminal prosecution and/or civil liability.

Applicable Legislation and Regulations

FERPA; HIPPA; FOIL; GLBA; Red Flags Rule; NYS Information Security Polices

Related References, Policies, Procedures, Forms and Appendices