Information Classification - California State University, Fullerton

advertisement

Cal State Fullerton

Information Classification

Introduction

The University recognizes that in order to support its core functions, comply with regulatory obligations, and contribute to the effective overall management of the institution, that information be considered a valuable asset which must be protected to ensure confidentiality, integrity, and availability.

Information classification is the process of assigning value to data in order to organize it according to its risk to loss or harm from disclosure. The Cal State

Fullerton information classification and handling standard establishes a baseline classification level which fulfills requirements placed on state agencies in relation to the collection, use, maintenance and dissemination of information relating to individuals. Additional protections are specified by a number of other federal and state laws, regulations, CSU Executive Orders, campus policies and directives that govern the privacy and confidentiality of data.

Family Education Rights and Privacy Act

 California’s Information Practices Act

Title V

 California’s Public Records Act

Gramm-Leach-Bliley Act

Health Information Portability and Accountability Act

CSU Information Security Policy

CSU Executive Orders

CSU Fullerton Directive 13

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

The information classification and handling standard applies to

 All data collected, generated, maintained, and entrusted to Cal State

Fullerton (e.g., student, research, financial, employee data) except where superseded by grant, contract, or federal copyright law.

 Information in electronic or hard copy form.

Reasons for Standard

Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control.

To ensure that all individuals utilizing University resources understand their responsibility for securing and protecting the University

’s data.

To provide guidance on the data classification of Fullerton information based on fiscal, legal and administrative value to the University.

To identify the corresponding Cal State Fullerton standard to be implemented by owners and/or custodians based upon the sensitivity and classification of the information asset

Audience

All members of the Cal State Fullerton University community

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

I. The Standard

Cal State Fullerton has adopted a security model to address its highly distributed and complex environment. There are a wide variety of systems, databases, and applications connected to the campus network which create, store, and transmit information. Information protection is the responsibility of every member of the campus community but specifically,

Departments and Divisions which bring in or generate the information for the University. Departments or Divisions are also responsible for ensuring the protection of that information once it is distributed to any other

Departments or Divisions, which maintains or uses the information.

Further, the Departments or Divisions are responsible for applying the appropriate “due care”, based upon the sensitivity of the information.

This Standard provides direction on classifying information based on fiscal, legal and administrative value to the University. Therefore,

University faculty, staff and administrators shall:



Classify data based upon the sensitivity criteria outlined in this document



Implement the Information Security Controls and Standards based upon this classification

II.

Classification of Data

A. Data

The University's data is defined as any information within its purview, including student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the University.

This document covers all information regardless of storage medium

(e.g., paper, fiche, electronic tape, cartridge, disk, and CD-ROM) and regardless of form (e.g., text, graphic, video, and voice), as well as University data stored at third party providers.

B. Classification of Data

All University data is classified based upon sensitivity and risk. The classification of data and the corresponding levels take into account legal and regulatory obligations of the University, contractual agreements, and strategic or proprietary worth of the data.

The California State University (CSU) has identified three classification levels that are referred to as level 1, level 2, and level

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

3. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values.

The most critical level of sensitivity begins with Level 1.

Level 1: Confidential

Confidential information is defined as information whose unauthorized disclosure, compromise or destruction would result in severe damage to Cal State Fullerton, its students, or employees.

Financial loss, damage to

Cal State Fullerton’s reputation, and possible legal action could occur.

Level 1 data is intended solely for use within Cal State Fullerton and limited to those with a “business need-to-know”. Statutes, regulation, other legal obligations or mandates protect much of this information. The CSU has identified specific guidelines regarding the disclosure of much of this information to parties outside of the

University and controls needed to protect the unauthorized access, modification, transmission, storage, or other use.

Examples of Level 1 Information Include:

Personal Information

Passwords or credentials.

PINs (Personal Identification Numbers)

Date or Birth (Month/Day/Year) combined with last four of SSN and name.

Name refers to either an individuals full name or sufficient elements of the individuals first name followed by the individuals complete last name.

Tax ID with name.

 Driver’s license number, state identification card, and other forms of national or international identification 1 in combination with name.

Social Security number and name.

1

Such as passports, visas, etc.

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Financial Information

Credit card numbers with cardholder name and expiration.

Bank account or debit card information.

Health Information

Medical records related to an individual, individuals treatment, health plan, and appointments.

Psychological Counseling records related to an individual.

Technical Security Information

Vulnerability/security information related to the campus or information system.

Law Enforcement Information

Law Enforcement records related to an individual.

Level 2: Internal Use

Internal use information must be guarded due to proprietary, ethical or privacy considerations. Internal use information is intended for use by Cal State Fullerton employees and contractors and vendors covered by non-disclosure agreement. An unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Cal State Fullerton, its students, or employees.

Financial loss, damage to Cal State Fullerton ’s reputation, and possible legal action could occur. Campus guidelines will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use.

Examples of Level 2 Information Include:

Identity validation keys

Birth date (full: mm-dd-yy)

Birth date (partial: mm-dd only)

 Mother’s maiden name

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Student information

Educational records (Excludes directory information) 2

Home or mailing address

Personal telephone numbers

Personal email address

Ethnicity

Gender

Birthplace (City, State, Country)

Grades

Courses taken

Schedule

Test Scores

Advising records

Educational services received

Disciplinary actions

Employee Information

Employee net salary

Employment history

Home address

Personal telephone numbers

Personal email address

Parents and other family members names

Payment History

Employee evaluations

Background investigations

Biometric information

Electronic or digitized signatures

Private key (digital certificate)

Birthplace (City, State, Country)

Ethnicity

Gender

Marital Status

Personal characteristics

Physical description

Photograph

2

See CSU Executive Order 382

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

University Alumni Information

Name

Home or mailing address

Personal telephone numbers

Personal email address

Student records still retained.

All information protected under existing Federal and State statutes

Legal Information

Legal investigations conducted by the University

Purchasing Information

Sealed bids

University Research

Trade secrets or intellectual property such as research activities

Library Patron Information

Linking a library user with the specific subject about which the library user has requested information or materials.

Facilities Information

Building plans and architectural drawings

Other Information

Location of assets

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Level 3: Public

This is information that is regarded as publicly available. This data is either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on- and off- campus (e.g., an employee’s work email addresses), or not specifically classified elsewhere in the protected data classification standard. Knowledge of this information does not expose Cal State Fullerton to financial loss, or jeopardize the security of

Cal State Fullerton’s assets. Publicly available data may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

Examples of Level 3 Information Include:

Student Information

Name

Major Field of Study

Participation in officially recognized sports/activities

Weight and Height of athletic team members

Dates of Attendance

Full or Part-time status

Degrees and awards received

Campus E-mail address

Most recent or previous college/University/agency attended

Note : If the student has requested confidentiality, the above

Student Information is no longer public for that student.

Employee Information

Employee Title

Employee public email address

Employee work location and telephone number

Employing department

Employee classification

Employee gross salary

Name (first, middle, last) (except when associated with protected information)

Signature (non-electronic)

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

III. Implementation

The Fullerton Information Security Standard is enunciated by the following documents.

A . The Cal State Fullerton Information Security Controls and Standards

The Fullerton Information Security Controls and Standards have been developed in order to provide direction on the appropriate system, administrative, and physical controls to apply to Data based on sensitivity.

University data will be protected by implementing Fullerton security standards, based upon the data classification, identified in this document.

B. Fullerton Policies, Standards, and Guidelines for Information

Security

Information Security standards are mandatory controls that must be employed in order for compliance to Standards. Security guidelines provide suggested alternatives, including implementation checklists to enable compliance with Standards.

This document was derived from frameworks established by the CSU, earlier efforts by Cal State

Fullerton staff, Cal Poly Pomona and Rutgers University and has adopted portions either in full or in part.

Download