This procedure defines standards for Data Classification
The policy applies to all individuals who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the College network, or stores any non-public College information.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of four sensitivity levels, or classifications.
College information includes verbal, digital, and hard copies (physical documents); individually controlled or shared; networked or stand-alone; and for use of administration, teaching or similar purposes.
Restricted – Restricted is a generalized term that typically represents data classified as the highest risk, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with sensitive data. Restricted information must be handled with an understanding of sensitive data and information. Data of this nature are stored and shared in a secure environment. Access is controlled through password protected devices and a secure network connection. Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the College or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data. Personally Identifiable Information (PII) and information protected by the Family Educational Rights and Privacy Act (FERPA), including student education records, are ALWAYS Restricted data.
Private/Confidential – Confidential is defined as all data owned or licensed by the College (“Institutional Data”). Data should be classified as Private/Confidential when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College or its affiliates. By default, all institutional data that is not explicitly classified as Restricted or Public data shall be treated as Private/Confidential data. A reasonable level of security controls shall be applied to Private/Confidential data and requires safe handling, awareness of sensitivity and safe handling. Private/Confidential data is stored to protect information integrity and shared in a secure environment. Access is controlled through password protected devices and on a secure network.
Unrestricted within Northland Pioneer College – Unrestricted is defined as any information that is classified as internally sharable information according to the data classification scheme defined in this Guideline. Unrestricted within the College includes data and information that is intended to be freely shared among members of the NPC community. Unrestricted information may be stored without required encryption and shared within the business environment. Digitally, the information must be accessed through a password protected device.
Public Data– Public is a generalized term that typically represents data classified as lowest risk or generally shareable, according to the data classification scheme defined in this Guideline. Public data is information intended to be freely shared or discloses both within and outside of NPC. Public data is not required to be encrypted and is permissibly stored through all available NPC storage options. This information may be shared with anyone, at any time. Access is permitted through both secure and public WiFi channels. Device passwords are not required but always recommended. Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the College and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
- Restricted – Highest Protection Level
- Federal Protected data (FERPA, HIPAA, etc.)
- Personal Identifying Information
- Social Security Numbers
- Bank Account Numbers/Information
- Payroll/Tax Information
- Driver License Numbers
- State Identity Card Numbers
- Credit Card Numbers
- Private/Confidential – High Protection Level
- All non-restricted information in personnel files
- Contractor Information
- Individual schedules/calendars
- Unrestricted within NPC – Medium Protection Level
- Information intended to be freely shared among members of the NPC community.
- College based resources designed for faculty, staff and student use
- Public – Low Protection Level
- Public-facing campus directories
- Course offerings
- Press releases
- Strategic Plan
- Departmental/Public websites