Scribd
Upload
128 views

Data Classification Standards: I. Definitions

This document establishes data classification standards for Pima Community College to protect confidential data. It defines three classifications - public, internal use only, and confidential - and assigns responsibilities to data trustees, stewards, and processors to ensure accurate labeling and appropriate protections. Any unauthorized disclosure of internal use only or confidential data may result in disciplinary action or legal action.

Uploaded by

Darwin Herrera
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
128 views

Data Classification Standards: I. Definitions

This document establishes data classification standards for Pima Community College to protect confidential data. It defines three classifications - public, internal use only, and confidential - and assigns responsibilities to data trustees, stewards, and processors to ensure accurate labeling and appropriate protections. Any unauthorized disclosure of internal use only or confidential data may result in disciplinary action or legal action.

Uploaded by

Darwin Herrera
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

PimaCommunityCollege

District Office, Information Security

Public

Data Classification Standards


Purpose: To protect the confidentiality, integrity, and availability of Pima Community College data pursuant to Data Trusteeship (SPG-5702/AB) and Security of the Information Technology Infrastructure (SPG-5702/AC) through the identification of information that requires protection. Audience: All members of the Pima Community College community, including faculty, staff, and students. Sponsoring Unit: Vice Chancellor of IT, 2008.

I. Definitions
A. Responsible parties Data Trustees: Per SPG-5702/AB: The accuracy and completeness of the data within the Enterprise Resource Planning systems are the responsibility of functional units of the College. All student information and grants systems data are assigned to the Office of the Provost. All finance data and payroll modules are assigned to the Office of the Executive Vice Chancellor of Administration. All human resources data, except payroll, are assigned to the Vice Chancellor of Human Resources. Data Stewards: Deans, vice chancellors, assistant vice chancellors, directors, managers or others as identified by the data trustees to manage a subset of data. Data Processor: Any individuals who have been authorized by a data steward to create, remove, or modify data. B. College data types The assessment criteria for the following classifications were derived from the National Institute of Standards and Technology (NIST)1 in NIST SP800-60: Guide for Mapping Types of Information and Information Systems to Security Categories. These classifications are intended for internal College use and are not intended to be determinative regarding any request for documents made pursuant to Arizonas public records laws. Public: This type of information can be communicated without restrictions, and is intended for general public use. This data will not cause harm to any individual, group, or PCC if made public. Internal Use Only: Information that is intended for use only within the College: This data may cause harm to an individual, group, or PCC if disclosed. Requires protections according to PCC SPGs, standards, or contracts. Confidential: Information that must be rigorously protected: Requires protections according to law, specifically: (1) Family Educational Rights and Privacy Act (FERPA); (2) Health Insurance Portability and Accountability Act (HIPAA); (3) Payment Card Industry Data Security Standard (PCI DSS); (4) Graham Leach Bliley Act (GLBA). This data will likely cause significant harm to an individual, group, or PCC if disclosed.
1

NIST provides standards on everything from weights and measures (providing the basis for the fairness and efficiency of sales totaling more than $5 trillion) to providing quality control procedures to US auto makers.

Page 1 of 3

PimaCommunityCollege

District Office, Information Security

Public

II. Responsibilities
All College data must be clearly labeled, and starting in July of 2008, the absence of a label will indicate Internal Use Only. 1. Data Trustees: Establish direction for the overall security and privacy of all College data, with particular attention to confidential data Identify and appoint data stewards Ensure existing procedures are appropriate Oversees data inventory database that includes: (a) classification level; (b) Data Stewards; (c) and description of information Consider any public records request for data classified as Internal Use Only or Confidential to determine whether the documents are subject to disclosure under Arizona Law. 2. Data Stewards: Develop and maintain documented procedures regarding the protection of College data. Ensure the accuracy of data within their area Annually review current access authorizations to ensure they are up to date and accurate Ensure authorized users of confidential data are properly trained Protect confidential information with emphasis on (a) the privacy of personal information; (b) protecting against anticipated threats; (c) guarding against unauthorized access Immediately report any breach of policy or data security to the Data Trustee 3. Data Processors (all employees, faculty, and students): Ensure all data are accurate Ensure appropriate confidentiality, integrity and availability procedures are being followed Immediately report any breach of policy or data security to the Data Steward

III. Examples
The examples below are provided for illustrative purposes only, and are not intended to be comprehensive or supersede the best judgment of Data Stewards. Public Data: Standard practice guides and policies; college plan; personal directory; maps; course catalog, public web page, press releases, advertisements, schedules of classes. Internal Use Only: Internal e-mails; meeting minutes; unit working & draft documents. Confidential: Student or employee records; social security numbers; A numbers; grades; employee performance reviews; personnel files; personally identifiable information;

Page 2 of 3

PimaCommunityCollege

District Office, Information Security

Public financial data (P-card numbers, account information, account numbers; bills); passwords, security plans. Considering that data of different classification types often occupy a shared space (whether a document or database that contains both confidential and public information), the most sensitive data in the collection is used to determine the overall classification. Notwithstanding such overall classification, in the case of a public records request, all data will be reviewed and disclosed to the extent required by Arizona Law.

IV. Public Records Requests


The standards set forth herein are for the Colleges internal purposes. Arizona law requires the disclosure of all public records except those protected by a statutory or common law exception. Depending upon the records requested and the circumstances, Internal Use Only documents may or may not be subject to disclosure pursuant to a public records request. Upon receipt of a public records request seeking documents classified as Internal Use Only or Confidential, the Data Trustee responsible for the data at issue, in consultation with the Chancellors office, will review the requested documents and determine whether such documents are, in whole or in part, subject to disclosure. The College does not, by inclusion of certain data or documents within the Internal Use Only or Confidential category, intend to create in any individual an expectation of privacy where none would otherwise exist.

V. Enforcement
Any failure to follow this standard must be reported to the Vice Chancellor of IT and the IT Information Security Officer for the purpose of remediation. Unauthorized disclosure of internal use only data is a violation of this standard and may result in disciplinary action. Unauthorized disclosure of confidential data may result in legal action in addition to disciplinary action. The appropriate Data Trustee will be responsible for any necessary disciplinary action or change in procedures.

Document Maintainers: Brian Basgen Reviewers: Law firm (DeConcini McDonald Yetwin & Lacy), Chancellors Cabinet, Chancellors Staff, IT Directors, ASWG. Effective Date: 7/1/2008 Review Cycle: Annual Reference: BP-3502 (permanent student records); BP-5702 (IT resource management) Status: Final Version: 1.0

Page 3 of 3

You might also like