3.0 Policy

3.1. Data classification, in the context of Information Security, is the classification of data based on its level of sensitivity and the impact to the organization should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels (tiers), or classifications:

3.1.1 Personally Identifiable Information (PII) Unauthorized disclosure, alteration or destruction of this type of data could cause a significant level of risk to Snow College or its affiliates. The impact of this type of data is critical and needs to be protected.

3.1.2 Internal Data - Unauthorized disclosure, alteration or destruction of this type of data could result in a moderate level of risk to Snow College or its affiliates. The risk for negative impact on the college should this information is typically moderate. Examples of internal data include official college records such as financial reports, purchase orders, processes, and some research data.

3.1.3 Public Data - Unauthorized disclosure, alteration or destruction of this type of data would result in little or no risk Snow College and its affiliates.

3.2. Determining Classification

3.2.1. The goal of information security, as stated in the College’s Information Security Policy, is to protect the confidentiality, integrity andavailability of information assets and systems. Data classification reflects the level of impact to the College if confidentiality, integrity or availability of the data is compromised.

3.3. Data Handling Requirements

3.3.1. For each classification, several data handling requirements are defined to appropriately safeguard the information. It's important to understand that overall sensitivity of institutional data encompasses not only its confidentiality but also the need for integrity and availability.

3.3.2. The attachedtable defines required safeguards for protecting data and data collections based on their classification. In addition to the following data security standards, any data covered by federal or state laws or regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.

3.3.3. Predefined Types of PIIInformation Assets. Based upon state, federal, and contractual requirements that Snow College is bound by, the following information assets have been predefined as PIIdata and must be protected.

3.3.3.1. Personally Identifiable Education Records. Covered under FERPA.

Personally Identifiable Education Records are defined as any education records that contain one or more of the following personal identifiers:

• Student Badger ID Number

• Grades, GPA, Credits Enrolled

• Social Security Number

• A list of personal characteristicsor any other information that would make the student's identity easily traceable

3.3.3.2. Personally Identifiable Financial Information(PIFI). Covered under GLBA. For the purpose of meeting security breach notification requirements, PII is defined as a person's first name or first initial and last name in combination with one or more of the following data elements:

• Social security number

• State-issued driver's license number

• Date of Birth

• Financial account number in combination with a security code, access code orpassword that would permit access to the account

3.3.3.3. Payment Card Information. Covered under PCI DSS. Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

• Cardholder name

• Service code

• Expiration date

• CVC2, CVV2 or CID value

• PIN or PIN block

• Contents of a credit card's magnetic stripe

• Contents of Card Chip

3.3.3.4. Protected Health Information (PHI). Covered under HIPAA. PHI is defined as any individually identifiable information that is stored by a covered entity, and related to oneor more of the following:

• Past, present or future physical or mental health condition of an individual.

• Provision of health care to an individual.

• Past, present or future payment for the provision of health care to an individual

• PHI is considered individually identifiable if it contains one or more of the following identifiers:

◦ Name

◦ Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)

◦ All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89

◦ Telephone/Fax numbers

◦ Electronic mail addresses

◦ Social security numbers

◦ Medical record numbers

◦ Health plan beneficiary numbers

◦ Account numbers

◦ Certificate/license numbers

◦ Vehicle identifiers and serial numbers, including license plate number

◦ Device identifiers and serial numbers

◦ Universal Resource Locators (URLs)

◦ Internet protocol (IP) addresses

◦ Biometric identifiers, including finger and voice prints

◦ Full face photographic images and any comparable images

◦ Any other unique identifying number or characteristic that could identify an individual

• If the health information does not contain one of the above referenced identifiers and there is no reasonable basis to believe that the information can be used to identify an individual, it is not considered individually identifiable and; as a result, would not be considered PHI.

4.0 References

12.4 Information Security Policy

12.5 Information Technology Acceptable Use Policy

Classification	Definition	Access Restrictions	Transmission	Storage	Disposal
Public	Information deemed to be public by legislation or policy. Information is in the public domain.Examples include annual reports, public announcements, the telephone directory, and specific categories of employee and student information.	No restrictions on access.	No special handling required.	No special safeguards required	Media can be recycled.
Internal Use	Information not approved for general circulation outside the College.Loss would inconvenience the Collegeor management; disclosure is unlikely to result in financial loss or serious damage to credibility.Examples include internal memos, minutes of meetings, internal project reports.	Access limited to employees and other authorized users.	No special handling required.	Access controlled by physical (locks) or electronic (passwords) safeguards.	Shredded or erased media.
Identifiable Information (PII)	Information that is available only to authorized persons.Loss could seriously impede the College’s operations; disclosure could have a significant financial impact or cause damage to the College’s reputation.Examples include specific categories of employee and student information, unit budgets, accounting information, and information protected by legal privilege.	Access limited to those with a demonstrated need to know and official approval.	Encryption mandatory for public networks.Encryption optional for internal networks.	Access controlled by physical (locks) or electronic (passwords or two-factor authentication) safeguards	Shredded, degaussed or destroyed.