Skip to content

test

1.0 PURPOSE

The purpose of this policy is to establish a framework for classifying and handling data based on its level of sensitivity. Classification of data will determine the baseline security controls for the protection of data. This policy applies to all Snow College employees who access, process, or store sensitive Snow College data.

2.0 Definitions

  • Personally Identifiable Information (PII) – Any information that permits to the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to Snow College.
  • Sensitive PII - Includes but is not limited to; social security numbers, driver’s license numbers, financial or medical records, biometrics, or criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data is compromised.
  • Data Owner - An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school,or administrative unit Snow College.
  • Data Custodian - Employee of the college who has administrative and/or operational responsibility over information assets.
  • Institutional Data - All data owned or licensed by Snow College.
  • Information Assets - Definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the college.
  • Non-Public Information - Any information that is classified as internal or private according to the data classification scheme.

3.0 Policy

  1. Data classification, in the context of Information Security, is the classification of data based on its level of sensitivity and the impact to the organization should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels (tiers), or classifications:
    • Personally Identifiable Information (PII) Unauthorized disclosure, alteration or destruction of this type of data could cause a significant level of risk to Snow College or its affiliates. The impact of this type of data is critical and needs to be protected.
    • Internal Data - Unauthorized disclosure, alteration or destruction of this type of data could result in a moderate level of risk to Snow College or its affiliates. The risk for negative impact on the college should this information is typically moderate. Examples of internal data include official college records such as financial reports, purchase orders, processes, and some research data.
    • Public Data - Unauthorized disclosure, alteration or destruction of this type of data would result in little or no risk Snow College and its affiliates.