This document establishes a framework in which to classify institutional data into categories that determine the level of internal control necessary to protect against theft, compromise, and inappropriate use.
University policies and procedures related to security of the University's information technology resources, computers, networking systems, and data were endorsed during the 2011-2012 academic year. The Policy on Security of Information Technology Resources and Systems (9.8) establishes a framework for the protection of the University's information technology resources, computers, networking systems, and data to aid the University in meeting its regulatory and legal obligations with regard to information security and privacy. The Procedure for Defining Enterprise Data Repository Management Roles and Responsibilities (9.8.3) calls upon the Data Stewardship and Information Technology Services Council to define the standards for a Master Data Access Plan, including adopting and defining levels for data classification. This Procedure adopts and defines the levels for data classification and the protocol for handling data by classification.
Data are strategic assets of the University. While data are stored in different database management systems, housed on a number of different platforms and maintained by several custodians, they collectively form the University's Enterprise Data Repository (EDR).
The classification schema presented in this document is informed by the level of risk associated with the loss, alteration, or disclosure of data (numbers, characters, images or other forms of output) and will help determine the appropriate security measures and controls for protecting data. Existing data elements/categories are provided in Appendix A. New data elements will be temporarily classified by the Data Steward according to the definitions in this policy and using the Data Classification Form. A change in an existing data element or category must also be requested by the Data Steward using the Data Classification Form. The data classification form can be accessed from the Information Security Website at http://at.illinoisstate.edu/iso. The Data Steward's recommended classification will be sent to the Chair of the Data Stewardship Council for review and approval by the Council.
"Handling" information is when you view, use, update, delete or destroy data. It also relates to when you transfer the data from one location to another. Data can be in paper or electronic form. Based upon how data are classified (highly restricted, restricted, or unrestricted) and its form, there are certain precautions which must be taken in handling data. Information should be handled according to the highest classification level of data contained in the document, unless required/permitted differently by law and University policy. For example, if a document contains both highly restricted and unrestricted information, then the document should be handled according to the highly restricted classification.
Appendix B provides a high level overview of data handling. Data handling includes electronic or hard-copy access, transmission, storage, disposal, secondary use, and external use. For a more detailed procedure with specific security measures and requirements please refer to Procedure for Securing and Accessing Each of the Data/System Classifications (9.8.2).
Appendix A: Data Classification Definitions
Definition: Highly restricted data are numbers, characters, images, or other forms of output that are typically protected by federal or state law, regulation, or University policy, or the University is required to take action (breach notification or self reporting) if the data are inappropriately accessed or disclosed. Data also are identified as 'highly restricted' when the unauthorized disclosure, alteration, or destruction of the data could cause a significant level of risk to the University or have an adverse effect on the University's operations, access, or individuals.
Potential Consequences of Unauthorized Disclosure: Reputational and financial losses, criminal or civil penalties, identity theft, personal financial loss, and/or invasion of privacy, and legal sanctions for the organization.
Highly Restricted Data Categories/Elements
• Account payment history
• Application fee waiver documentation and reason
• Background Checks - Employee, Academic Program Admissions (e.g. Nursing, teacher certification)
• Bank Account Number or other financial account numbers
• Birth date year
• Certificate/License Number
• Credit Card Number
• Debit Card Number
• Directory Information Restricted by Employee
• Directory Information Restricted Information by Student
• Disability Records and status
• Driver's License Number
• Electrical Diagrams
• Electronic door access
• Free Application for Federal Student Aid Application
• Garnishment of wages
• Genetic identifiers
• Human Resources Benefits Records (e.g., Workers compensation, medical documentation)
• Internal Audit Records and Materials
• Job action material (e.g. censures, actions, evaluations)
• Unfunded and pre-award grant proposals and abstracts
• Library Material Checked out
• Location or management of hazardous materials
• Marital Status
• Medical records and personal health information (PHI) (e.g., pharmacy records, student health records, clinic records)
• Name of Donor Requesting Anonymity
• Network Diagrams
• Passwords, passphrases, PIN numbers, security codes, access codes
• Payroll information (e.g. taxes, deductions, etc.)
• Personally identifiable information (PII) human subjects
• Police Reports Detail Exempt under FOIA
• Social Security Number
• State Identification Card Number
• Student Application Criminal History (self-reported) Status
• Student Evaluations
• Student Judicial Records and Proceedings
• Student Loan Accounts and Information (e.g. account numbers, credit information, credit scores)
• Student Scholarship Information
Definition: Restricted data are numbers, characters, images or other forms of output that may not be accessed without specific authorization or consent because of legal, ethical or other constraints. Access to these data is limited to employees of the University and individuals who are working pursuant to the contract with the University who have a role-based need to see and use the information. Any use of the data must be used to conduct University business and must follow all applicable laws, regulations and University policies and procedures.
Potential Consequences of Unauthorized Disclosure: Reputational and financial loss, a hindrance to productivity, or a competitive disadvantage for the organization.
• Application fee waiver granted (yes/no)
• Alumni Surveys
• Birth date (month and day)
• Course Rosters
• Dining Halls - Dining Plans and Usage
• Emergency contact person
• Facility Availability
• Facility Floor plans
• Facility Maintenance Records
• Facility work orders, staff time on project, etc.
• Military Status
• Photograph (student and employee)
• Racial/ Ethnicity
• Staff Calendar/ Schedule Staff Sick and Vacation Time Used
• Student Fitness Center Membership and Usage
• Student Grades
• Student schedules
• University ID
• Veteran Status
• Wellness Center Program Enrollment
• Work Authorization (I-9)
• Video tapes
• Any other FERPA protected data not listed
Definition: Unrestricted data are numbers, characters, images, or other forms of output that have few internal restrictions. Some data elements classified as unrestricted still have certain dissemination restrictions and access may be denied.
Potential Consequences of Disclosure: Loss of access to resources, resource drain or a financial loss for the organization
Unrestricted Data Categories/Elements
• Arboretum Catalog
• Business Address
• Business Telephone Number
• Class Level, Grade level
• Course Listings
• Crime Incidents (Cleary Act)
• Dates of first and last employment
• Education & Training Background
• Educational Level (Staff and Student)
• Employment Status (Full-time Part-Time)
• Enrollment Status (Full-time Part-Time)
• Facilities Name, Size, Age, etc.
• Faculty Rank
• Financial Data - Appropriations
• Financial Data - Budget
• Financial Data - Expenditures Annual report
• Giving level for honor roll
• Grant Application
• Grant Finances
• Home Mailing Address
• Home Phone Number
• Job Description
• Job Title
• Library Catalog
• Major Field of Study
• Meeting Notes pursuant to the Open Meetings Act
• Place of Birth (Student)
• Previous work experience
• Scholarly Productivity
• Staff Sick and Vacation Time Awarded
• Statue Audit Reports
• Student honors and awards
• Student: dates of attendance
• Weight/height of intercollegiate athletic team members
Appendix B: Data Handling Requirements*
|Highly Restricted Data||Restricted Data||Unrestricted Data|
|Access Protocol||Master Access Plan
If there is an exception it must be approved by the Council
|Master Access Plan||Master Access Plan|
|Transmission Protocol||* National Institute of Standards and Technology (NIST) approved encryption is required when transmitting information though the network.
* Third party (personal) email services are not appropriate for transmitting this information
* Restricted data may be masked instead of encrypted if displaying
|* NIST- approved encryption is strongly recommended when transmitting information outside ISU network.
* Third party (personal) email services are discouraged for transmitting this information
|No special controls|
|Storage Protocol||Data in this category can only be stored in University servers (no desktop, laptop or cloud environment) unless specifically approved by the Stewardship Council. If approved, encryption and/or masking would be required.||Encryption of restricted information is strongly recommended if stored in desktops, laptops, thumb drives, or personal devices such as smart phones and other PDAs. Level of required protection of restricted information is either pursuant to ISU policy or procedure (e.g. 9.8.2) or at the discretion of the Stewardship Council. If the appropriate level of protection is not known, check with the Stewardship Council before storing restricted information outside of ISU servers.||No special controls|
|Data Disposal||Shred reports; Department of Defense (DOD) Level Wipe or destruction of electronic media||Recycle reports; Wipe/erase media||No special controls unless on non-University equipment (please reference Procedure 9.8.2)|
|Secondary Use – use of the data other than for the requested purpose.||Prohibited||As authorized by Business Owner||As authorized by Business Process Owner|
|External Data Sharing||As required by Federal regulations; Illinois Open Records Law; FERPA regulations, and external contracts and agreements||As required by Federal regulations; Illinois Open Records Law; FERPA regulations, and external contracts and agreements||As authorized by Business Process Owner|
|Auditing (IT Audit Logs)||Logins, accesses and changes||Logins||No special controls|
|Review||Annually or as needed||Annually or as needed||
Annually or as needed
* For a more detailed procedure with specific security measures and requirements please refer to Procedure for Securing and Accessing Each of the Data/System Classifications (9.8.2).
Last review: January 2015