Description
CONFIDENTIAL
(highest level of security)
Data is designated as legally
regulated. Data which is
considered confidential or
restrictive.
Legal Requirements
Protection
required/identified by Red
Flag Rule and/or 210-CMR17.00
Reputation to College
Data Access and Control
High
Legal, ethical or other
reasons (College Policy)
prevent access without
authorization. Data is only
accessed by individuals with
specific approved access.
Transmission of
Confidential Data will be
sent only via an SSL-based
or higher encryption
method. For example,
XYTHOS ticketing/email
method. Transmission via email, texting, SMS, instant
messaging or any electronic
system (FTP or TFTP) is
prohibited.
The saving of confidential
data is prohibited on local
hard drives, desktops,
laptops, smartphones or
tablet computers. If these
devices are approved by the
Information Security
Officer, then approved
encryption is required.
Storage of credit card
information is never
allowed on local devices.
Documented backup and
recovery procedures are
required by law
Transmission
Storage
Data Backup and
Recovery
RESTRICTED
(moderate level of security)
Data which the owner or
owners (Department Heads)
have not decided to publish
or publicly announce. Data
protected by contract
obligations.
The protection of this data is
at the discretion of the
Department Head or
Gordon College.
High/Medium
Data is access by Gordon
College employees and/or
non-employees who have a
business need and were
approved by the
Department Head.
Transmission of restricted
data through ‘Guest’
wireless and non-Gordon
wired or wireless will be
prohibited. When
necessary, ‘GordonNET’ or
Gordon’s wired network will
be used. If off campus,
Gordon Colleges
https://vpn.gordon.edu will
be used.
Data will be stored using
NAS1, NAS2 and/or XYTHOS
drive. If the level of
protection is unknown,
check with the Information
Security Officer before
storing the data.
Documented backup and
recovery procedures are
required.
PUBLIC
(low level of security)
No expectation for
privacy or
confidentiality.
The protection of this
data is at the
discretion of the
Department Head or
Gordon College.
Low
No restrictions.
No protection is
required.
No protection is
required.
Documented backup
and recovery
procedures are
required.
Data Retention
Audit - internal
Audit - external
Protection
Protection - user
45 Days, copied every 15
minutes
Department Heads and data
custodians responsible for
confidential data must
actively review their data
process and procedures for
potential ‘Red Flags’,
misuse or unauthorized
access.
The Information Security
Officer is required to
periodically scan and detect
possible breaches in
departmental security.
The use of IPS/IDS, Firewall,
patch management,
encrypted wireless and
daily review of logs to
thwart possible breaches.
User client device has
adequate patch
management, Antivirus,
Anti-Malware installed and
file encryption if needed.
DATA CRITERIA AND CLASSIFICATION
DATA STORAGE AND TRANSMISSION
45 Days, copied every 15
minutes
Department Heads and data
custodians responsible for
restricted data. Periodic
review of data access is
required.
45 Days, copied
every 15 minutes
No audit controls
needed.
The Information Security
Officer is required to
periodically scan and detect
possible breaches in
departmental security.
Scanning of departmental
data to ensure correct user
access and no PII is stored
wrongly.
No audit controls
needed.
User client device has
adequate patch
management, Antivirus,
Anti-Malware installed.
No restrictions
because we have no
control over nonGordon computers.
DATA EXAMPLES:
Information resources labeled as ‘Confidential’.
Personally Identifiable Information (PII). The following must be true.
Last Name, and First Name or initial, with ANY one of the following –







Social Security Number
Driver’s License Number
State ID Number
Passport Number
Financial Account (checking, savings, brokerage, CD, routing, Bank ID)
Credit Card Number
Debit Card Number
Protected Health Information (PHI)



Health Status
HealthCare Treatment
HealthCare Payment
Personal/Employee Data



W-2’s
Worker’s Compensation or Disability Claims
Pay Record
Student Data not included in directory information or GAL.









Loan or Scholarship Information
Payment History
Student Tuition Bills
Student Financial Information.
Class Lists or Enrollment Information
Transcripts
Notes on Class Work
Disciplinary Action
Athletics Recruiting Information
Information resources labeled as ‘Restricted’.
Personal/Employee Data






Gordon ID Number
Income Information
Personal Records/Performance Reviews/Benefit Information
Race, ethnicity, nationality, gender
Date and place of birth
Contact Information
Business/Financial Data





Transactions that do not include Confidential Data
Non-Disclosure Information
Contracts that don’t contain PII
Credit Reports
Records on spending, borrowing, net-worth
Academic/Research Information





Library Transactions
Unpublished Research or Research
Private Funding Information
Human Subject Information
Course Evaluations
Anonymous Donor Information


Last Name, First Name or Middle/First Name Initial
Amount, Organization, Type, Purpose
Other Donor Information



Last Name, First Name or Middle/First Name Initial
Telephone, e-mail, employment information
Family Information
Management Data



Annual Budget Information
Conflict of Interest Disclosures
Gordon’s Investment information
Information resources labeled as ‘Public’.
Directory or Contact Information not Designated as Private (unless protected by FERPA)









Name
Address (Gordon and Home)
E-mail
Listed Telephone Number
Degrees, Honors or Awards
Previous Schools Attended
Field of Study
Dates of Current Employment and Position Held
ID Photos for Gordon Use Only
Specific for Students (unless protected by FERPA)




Class Year
Campus Activities
Athletic Information – Height, Weight
Attendance Status
College Data (unless protected by FERPA)




Maps
Job Postings
List of Published Research
Other?