Data Classification Policy: IG
PURPOSE:
Data Classification provides a framework for managing data assets based on value and associated risks and for applying the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All SPC data, whether electronic or printed, must be classified as Confidential, Protected, or Public by the data owners and/or data custodians. Consistent use of data classification reinforces with users the expected level of protection of SPC data assets in accordance with SPC policies.
The purpose of the Data Classification Policy is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. Security standards, which define these security controls and requirements, may include document marking/labeling, release procedures, privacy, transmission requirements, printing protection, computer display protections, storage requirements, destruction methods, physical security requirements, access controls, backup requirements, transport procedures, encryption requirements, and incident reporting procedures.
SCOPE:
The SPC Data Classification policy applies equally to all Data Owners and Data Custodians.
POLICY STATEMENT:
Data Owners and/or Data Custodians must classify data as follows:
- Confidential: Sensitive data that must be protected from unauthorized disclosure or public release based on state or federal law, (e.g. the Texas Public Information Act, FERPA, HIPAA) and other constitutional, statutory, judicial, and legal agreements. Examples of Confidential data may include, but are not limited to:
- Personally identifiable information such as a name in combination with Social Security Number (SSN) and/or financial account numbers
- Student education records such as posting student identifiers and grades
- Intellectual property such as copyrights, patents and trade secrets
- Medical records
- Protected: Sensitive data that may be subject to disclosure or release under the Texas Public Information Act but requires additional levels of protection. Examples of Protected data may include but are not limited to:
- Operational information
- Personnel records
- Information security procedures
- College-related research
- internal communications
- Public: Information intended or required for public release as described in the Texas Public Information Act.
DEFINITIONS:
Confidential Data: Information that must be protected from unauthorized disclosure or public release based on state or federal law (e.g. the Texas Public Information Act, and other constitutional, statutory, judicial, and legal agreement requirements).
Data Classification: Classifying data according to their category of Confidential, Protected or Public.
Data Custodian: The person responsible for overseeing and implementing physical, technical, and procedural safeguards specified by the data owner.
Data Owner: Departmental position responsible for classifying business data, approving access to data, and protecting data by ensuring controls are in place.
Protected Data: Sensitive data that requires a level of protection but may be subject to disclosure or release – Public Information Act.
Public Data: Information intended or required for public release.
Related Policies, References and Attachments:
An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
DIR Security Controls Catalog Control Group: AP-2
Approved by: Executive Council, September 9, 2019
Next Review: October 1, 2020