Data Classification Standards - HSU Implementation of the CSU Data Classification Standards

Month/Year Posted: 
June, 2010
Policy Number: 
EM:P10-03

Background:

In accordance with the binding requirements of federal laws, state laws, and CSU policies that govern how private and confidential data are collected, managed and protected, Humboldt State University recognizes its affirmative and continuing obligation to provide appropriate administrative, technical and physical safeguards to protect such university information assets.

Unauthorized use, access, disclosure, or acquisition of private or confidential information could result in severe damage to HSU, its students, employees or customers. Financial loss, damage to HSU’s reputation and legal action could result.

Security precautions and procedures for protecting private and confidential data are necessary.

Data Classification Standards:

The CSU Information Security Advisory Committee and information security staff from the Chancellor’s Office have defined data classification standards as follows (see Appendix A):

  • Level 1 Confidential Data: data governed by existing law or statute such as Social Security number, credit card number, or health information
  • Level 2 Private Data: information that should be protected due to ethical or privacy concerns such as grades, disciplinary actions, or employment history
  • Level 3 Public Data: information such as a person's title, email address, or other directory information

Policy:

Neither Level 1 Confidential data nor Level 2 Private data shall be stored on university–owned personal computers (desktop or laptop), other electronic storage media (e.g., cd, dvd, or flash drive) or other electronic devices (e.g., PDAs, smart phones) without the express written approval of the President or his designee. Approval shall only be granted in order to accomplish specific tasks identified as absolutely necessary to conducting the business of the University. The data shall be removed when the business reason no longer exists.

This policy applies to:

  • all divisions, work units and entities of the University, including self-support entities;
  • all data collected, generated, maintained, and entrusted to HSU (e.g. student, research, financial, employee data) except where superseded by grant or contract;
  • all auxiliary organizations (such organizations shall develop and adopt a policy to achieve this security).

Managers for work groups with the same protected data storage requirements may request approval for the entire group on a single approval form. Level 2 Private data for students enrolled in the current semester may be stored on a local computer for the current term only. At the end of the term, such data shall be removed to an appropriate, secure archive medium and location.

Under no circumstance shall Level 1 Confidential data be stored on computers, other storage media, or other electronic devices not owned by the California State University, its auxiliaries or its foundations.

Devices containing Level 1 Confidential or Level 2 Private data may not be used for any purpose by any person not employed by the University.

Additional information on this policy can be found at: https://its.humboldt.edu/security/protected-data

Storage and System Security Requirements:

When storage on computers, other storage media, or other electronic devices is approved, the following additional minimum requirements must be met:

  1. These devices must be physically secured when not in use.
  2. Campus supported file or disk encryption must be utilized.
  3. Operating system software must be kept patched and up-to-date.
  4. Anti-virus software must be installed on any device capable of running it, and also kept up-to-date.
  5. Normal user access may not operate using an account with administrative privileges.
  6. Strong password protection and aging must be adhered to for all profiles configured on the device.
  7. A computer firewall must be enabled. 

Disposal requirements:

Any computer, other storage media, or other electronic device which stores Level 1 Confidential or Level 2 Private data must be sanitized prior to disposal or re-use in accordance with the campus procedures for destruction of media.

Reporting Loss or Theft:

Theft or loss of computers, other storage media, or other electronic devices that contain Level 1 Confidential or Level 2 Private data must be reported to (1) the employee’s appropriate administrator, (2) University Police and (3) the Office of Information Security. When the loss or theft of a computer, other storage media, or other electronic device is reported, the presence of Level 1 Confidential or Level 2 Private data must be indicated. If stolen off-campus, local law enforcement must be notified and a police report obtained.

Periodic Review:

The Office of Information Security will conduct periodic audits to determine if Level 1 Confidential and Level 2 Private data are being appropriately protected on university owned equipment.

Appendix A – CSU Data Classification Standard, Level 1 Confidential

Description

Level 1 Confidential information is intended solely for use within HSU and is limited to those with a “business need-to know.”

Statutes, regulations, other legal obligations or mandates protect much of this information.

Disclosure of Level 1 Confidential information to persons outside of the University is governed by specific standards and controls designed to protect the information.

Unauthorized use, access, disclosure, or acquisition of private or confidential information could result in severe damage to HSU, its students, employees or customers. Financial loss, damage to HSU’s reputation and legal action could result.

Level 1 Confidential information is typically exempt from disclosure under the California Public Records Act or other applicable state or federal laws.

Examples

  • Passwords or credentials
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Biometric information
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Vulnerability/security information related to a campus or system
  • Attorney/client communications
  • Legal investigations conducted by the University
  • Third party proprietary information per contractual agreement
  • Sealed bids

Appendix B – CSU Data Classification Standard, Level 2 Private

Description

Level 2 Private information should be protected due to FERPA, proprietary, ethical, or privacy considerations.

Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure or acquisition of information could cause financial loss, damage to HSU’s reputation, violate an individual’s privacy rights, or make legal action necessary.

Examples

Name in combination with:

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)

Employee Information (including student employees):

  • Employee net salary
  • Employment history
  • Home address
  • Personal telephone numbers
  • Personal email address
  • Payment history
  • Employee evaluations
  • Background investigations
  • Mother’s maiden name
  • Race and ethnicity
  • Parents and other family members names
  • Birthplace (City, State, Country)
  • Gender
  • Marital status
  • Physical description
  • Photograph

Other:

  • Library circulation information
  • Trade secrets or intellectual property such as research activities
  • Location of critical or protected assets
  • Licensed software

Student Information-Educational Records (non-directory):

  • Grades
  • Courses taken
  • Schedule
  • Test scores
  • Advising records
  • Educational services received
  • Disciplinary actions 

Appendix C – CSU Data Classification Standard, Level 3 Public

Description

This is information that is generally regarded as publicly available. Information at this level is either explicitly defined as public information, or is intended to be available to individuals both on and off campus, or is not specifically classified elsewhere in this standard. Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of HSU’s information assets.

Level 3 Public information may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

Examples

Campus Identification Keys:

  • Campus identification number
  • User ID (do not list in public or large aggregate lists to reduce chances of spam) 

Student Directory Information: (unless a student requests in writing that their directory information not be released, resulting in a “confidentiality flag” being set in their CMS record)

  • Educational directory information (FERPA) 

Employee Information (including student employees):

  • Employee title
  • Status as student employee (such as TA, GA, ISA)
  • Employee campus email address
  • Employee work location and telephone number
  • Employing department