| |
Data Classification Security Policy
PRELIMINARY DRAFT-Campus Approval Needed
(Updated 6.22.2006)
Introduction
Many federal and state laws regulate the collection, handling and disclosure of
University data
1, including the Family Rights to Privacy Act (FERPA),
the Health Insurance Portability and Accountability Act (HIPAA), the
Gramm-Leach-Bliley Act, and the Federal Privacy Act of 1974.
Exposure of confidential data to improper disclosure
or security risk
is a violation of these laws, and can result in the institution's
incurring
legal liability, financial liability, reputational loss, and loss of
trust.
In the case of exposure of restricted confidential data such
as SSNs, credit/debit card numbers, or protected health information,
an affected individual can become a victim of identity theft
and/or serious loss of privacy.
In addition, New York State has enacted an
Information Security Breach Notification Act which requires
all state agencies to notify individuals if there is a security breach involving
their personal information
Policy
All University data must be classified according to one of the
classification levels below, and must be consistently protected throughout
its life cycle (from its creation to its destruction) in a manner corresponding
to its sensitivity and/or criticality regardless of where it resides,
what form it takes, what technology is used to handle it, and what
purpose it serves.
As defined in the
Data Access, Security, and Acceptable Use of University Information Policy,
each Data Trustee is responsible for classifying University
Data in his/her area, using one of the classifications noted in the table
below. University data not otherwise specified will be considered to be For
Internal Use data.
Data Trustees and the Information Security Officer are responsible for determining the appropriate protective measures required for each classification
level.
Standards for Securing Private and Regulated Information
provides UB's requirements for the secure access, handling, usage, transmission,
storage, and disposal of data classified as "Confidential Restricted."
Purpose of Policy
The purpose of this policy is to provide a data classification system
for consistent handling and control of University data with respect
to security, access and confidentiality.
Applicability of Policy
This policy applies to all University data regardless of its medium
and/or form, and to all those who handle University information (faculty, staff, students, third party contractors,
and any others).
Classification of Institutional Data
Use the criteria in the following table to determine which data
classification is appropriate
for a particular information or infrastucture system.
Note: If you are creating a
new information system that will store or handle restricted data, you
should inform the Information Security Officer.
|
| PUBLIC
| INTERNAL USE
| CONFIDENTIAL
| CONFIDENTIAL RESTRICTED
|
| Sensitivity Level
| Open, unclassified
| Low-Medium
| Moderate-High
| High-Critical
|
| Legal Requirements
|
| Protection level of data is set by the owner or custodian
| Protection of data is required by legal or contractual obligation.
| Restricted data, subject to federal, state, and other regulations,
including NY State Breach Notification Act and/or HIPAA.
|
| Access
| Information authorized for release to the public
| UB employees/ non-employees with a business need to know
| Only those individuals with approved access
| Only those individuals with approved access and signed non-disclosure forms
|
| Definition
| Public information that can be disclosed without violating an individual's right to privacy.
| Instituional information that is intended for use within UB.
| Information that UB and its employees have a legal, regulatory, or
social obligation to protect. Unauthorized disclosure would violate individual privacy rights
| Highly regulated information: Unauthorized disclosure could subject individuals to identity theft and
could lead to substantial financial penalties and loss of reputation to
UB.
|
| Examples
| Course schedules, catalogs, campus brochures, maps
| Research detail or results that are not restricted data, management information
| Budget information, private employee information, student academic records, grades
| SSNs, credit/debit card numbers, drivers' license numbers, state-issued non-drivers'
ID numbers, protected health information
|
Policy Review and Update
The Associate VP for Information Technology or his designee will periodically
review and update this policy as needed. Questions concerning this
policy should be directed to the Office of the Associate VP for
Information Technology.
1
University data are items of information that are collected, maintained,
and utilized by the University for the purpose of carrying out institutional
business subject to or limited by any overriding contractual or
statutory regulations. Research data, scholarly work of faculty or
students, and intellectual property are not covered by this policy.
|
|
|
|
Related Links
|
