Data Classification GuideThis document is currently in Recommended status. It has been approved by the Information Security Governance committee and is currently under review by the other governance committees for final approval.
|Standard Number: 1.2.A||Policy Owner and Source of Approval:|
|Effective Date: 12/16/2010||Information Security & Business Continuity Governance|
|Policy applicable for: Faculty/Staff||Associated Standards/Regulations:|
|Responsible Office(s): BU Information Security||HIPAA, FERPA, GLB, PCI, Mass General Law|
Purpose & Overview
University Data is information generated by or for, owned by, or otherwise in the possession of Boston University that is related to the University’s activities. University Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that support the business of Boston University.
In order to effectively secure University Data, we must have a vocabulary that we can use to describe and quantify the amount of protection required. This guideline defines four categories into which all University Data can be divided: Public, Internal, Confidential, and Restricted Use. University Data that is classified as Public may be disclosed to any person regardless of their affiliation with the University. All other University Data is considered Sensitive Information and must be protected appropriately. This document provides definitions for and examples of each of the four categories. The Data Protection Requirements specifies the level of security protections that are required for each category of data.
The various units and departments at the University have a multitude of types of documents and data. To the extent particular documents or data types are not explicitly addressed within this Guide, each business unit or department should classify its data by considering the potential for harm to individuals or the University in the event of unintended disclosure, modification, or loss. The Departmental Security Administrator may assist with the classification process and coordinate with the BU Information Security Team to achieve consistency across the University. When classifying data, each department should weigh the risk created by an unintended disclosure, modification or loss against the need to encourage open discussion, improve efficiency and further the University’s goals of the creation and dissemination of knowledge. Departments should be particularly mindful to protect sensitive personal information, such as Social Security Numbers, drivers’ license numbers and financial account numbers, disclosure of which may create the risk of identity theft.
Some information could be classified differently at different times. For example, information that was once considered to be Confidential data may become Public data once it has been appropriately disclosed. Everyone with access to University Data should exercise good judgment in handling sensitive information and seek guidance from management as needed.
This classification scheme is to be applied to all University Data, both physical and electronic, throughout Boston University. No data item is too small to be classified.
A Note about Research
Boston University is committed to openness in research – freedom of access by all interested persons to the underlying data, to the processes, and to the final results of research. Research at Boston University generally should be widely and openly published and made available through broad dissemination or publication of the research results. Research data is generally considered to be classified as Public data unless there are specific requirements to maintain the confidentiality of research data, such as when a researcher is bound to protect the confidential information of a collaborating company or when the data relates to human subjects. For more information about research involving human subjects see the Office of Research Compliance, Office of Clinical Research, and Clinical Research Resource Office.
Public data is information that may be disclosed to any person regardless of their affiliation with the University. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure. While it may be necessary to protect original (source) documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the University community and no steps need be taken to prevent its distribution.
Examples of Public data include: press releases, directory information (not subject to a FERPA block), course catalogs, application and request forms, and other general information that is openly shared. The type of information a department would chose to post on its website is a good example of Public data.
Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of the University without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as Internal where appropriate. If you have questions about whether information is Internal or how to treat Internal data, you should talk to your dean or department head.
Examples of Internal data include: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.
Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of Boston University. This classification also includes data that the University is required to keep confidential, either by law (e.g., FERPA) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification. Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.
It is the responsibility of the data owner to designate information as Confidential where appropriate. Individuals and departments that create or circulate Confidential data should clearly designate the data by clearly marking both hard copies and electronic version of documents as Confidential. Those who receive data marked as Confidential should take appropriate steps to protect it.
Any unauthorized disclosure or loss of Confidential data must be reported to the appropriate dean or department head. The dean or department head should determine whether to report the unauthorized disclosure or loss of Confidential data to the Information Services & Technology Incident Response Team (firstname.lastname@example.org or 617-358-1100) who in turn will contact the Information Security Program Director, as appropriate. Unintentional modification of original (source) documents should be reported to the dean or department head.
- Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students.
- Personally identifiable information entrusted to our care that is not Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students.
- Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
- Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
- Legally privileged information.
- Information that is the subject of a confidentiality agreement.
Restricted Use data includes any information that BU has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require the University to notify the affected individual and state or federal authorities. In some cases, modification of the data would require informing the affected individual. BU’s obligations will depend on the particular data and the relevant contract or laws. Restricted Use data includes:
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protection of medical records and patient data.
- Certain types of personal information, including an individual’s name plus the individual’s Social Security Number, driver’s license number, or financial account number, covered under Massachusetts General Laws chapter 93H and Massachusetts regulation 201 CMR 17.
- Financial account numbers covered by the Payment Card Industry Data Security Standard (PCI-DSS), which controls how credit card information is accepted, used, and stored.
- Data controlled by U.S. Export Control Law such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional requirements. See the Export Controls site for details.
- U.S. Government Classified Data (these may be subject to additional controls, contact BU Information Security to discuss.)
- Data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
Restricted Use data should be used only when no alternative exists and must be carefully protected. It must be encrypted both in transit and when stored on a portable electronic device. In addition, original (source) documents should be protected from unauthorized modification.
Individuals and departments that create or circulate Restricted Use data should clearly designate the data by clearly marking both hard copies and electronic version of documents
as Restricted Use. Those who receive data marked as Restricted Use should take appropriate steps to protect it.
Any unauthorized disclosure or loss of Restricted Use data must be reported to the BU Incident Response Team, email@example.com or 617-358-1100, which will report to the Information Security Program Director. Unintentional modification of original (source) documents should be reported to the dean or department head and to the BU Incident Response Team.
Resolving Conflicts between this Guideline and Other Regulations
Some data may be subject to specific protection requirements under a contract or grant, or according to a law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If you have questions, please contact your supervisor, your Departmental Security Administrator, the Information Security Program Director, or any of the other key contacts within the University on the subject of information security. http://www.bu.edu/executivevp/personal-information/contact-us/
Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University. The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of University policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.
The Boston University Data Protection Standards:
- 1.2.A – Data Classification Guide
- 1.2.B – Data Management Guide
- 1.2.C – Access Management and Authentication Requirements
- 1.2.D – Data Protection Requirements & 1.2.D.1 – Media Destruction One-Sheets
- 1.2.E – Minimum Security Standards
- 1.2.F – Education, Compliance and Remediation
References & Related Documents:
- HIPAA BU Health Insurance Portability and Accountability Act Policy – Text of Law
- FERPA BU Family Educational Rights and Privacy Act Policy – Text of Law
- GLBA BU Gramm-Leach-Bliley Act Safeguarding Program – Text of Law
- ISO 27001 International Standards Organization for Information Security
- COBIT 4.0 ISACA Audit Controls Objective for IT
- Massachusetts General Law Chapter 93H (the Massachusetts Identity Theft Law) and
- Massachusetts Regulation 201 CMR 17 (Standards for the Protection of Personal Information of Residents of the Commonwealth)
- BU Information Security Policy
- BU Personal Information Protection Guidelines
- Office of Research Compliance
- Risk Acceptance Policy and Risk Acceptance Form (Contact BU Information Security)
- BU Information Security – Incident Response Team firstname.lastname@example.org (617) 358-1100
- Executive Director & Information Security Officer Quinn Shamblin (617) 358-6310
- VP of Information Services and Technology Tracy Schroeder (617) 353-1155
- Information Security Program Director John Imbergamo (617) 353-2290
|12/10/2010||Original Draft||BU Information Security||–Original–|
|12/16/2010||Approved||BU Information Security Governance Committee||–Original–|