REQUEST HELP
How to Find Us

Contact ITS

Exley Science Center
ITS Service Desk / Help Desk - 1st Floor Lobby
265 Church Street
Middletown, CT 06459

Main: 860-685-4000

Hours: Monday - Friday
8:30am - 5:00pm

After hours high impact / high urgency IT support

Data Classification Policy 

 

Purpose 

 This Data Classification Policy outlines security controls applied to a given system which should be tied to the types of data stored on that system to ensure a proper balance between usability and security. 

  

Scope 

 This policy applies to all university-provided Information Technology Resources (ITRs), as defined in the Appendix. 

 

Policy 

Data Classification Levels 

There are three data levels classification levels – Restricted, Sensitive, and Public.   

Restricted data is data that the university has a contractual, legal, or regulatory obligation to protect.  Examples include, but are not limited to, data covered by the Family Educational Rights and Privacy Act (FERPA), Social Security Numbers (SSNs), and Protected Health Information (PHI). 

If Restricted data has additional required controls beyond what would normally be applied to the Restricted data, the need for additional controls will be indicated by appending the acronym of the applicable controls.  The Appendix lists current additional required controls in use. 

Sensitive data is any data that the university does not have a contractual, legal, or regulatory obligation to protect but which the university chooses to protect.  Examples include, but are not limited to, internal email messages, internal documents, and employee addresses. 

Public data is any data not classified as Restricted or Sensitive.  If it is unclear whether data should be classified as Public or Sensitive the data should be classified as Sensitive. 

The overall classification for a system is based on the most restrictive classification of any data on the system.  So, a system housing all three types of data is a Restricted system, and a system housing both Sensitive and Public data is a Sensitive system. 

Data Collection 

Restricted data will only be collected by authorized personnel when it is specifically needed for a legitimate university business requirement or to meet a statutory or regulatory requirement.  If Sensitive data can be used in place of Restricted data, such as using a WesID number to identify a person instead of a Social Security Number, the Sensitive data will be collected instead of the Restricted data. 

Data Sharing 

Restricted data may only be shared with other individuals who have a legitimate need to access the Restricted data.  If the data is being shared with an individual outside of the university there must be a written agreement in place confirming that they will use appropriate information security controls to protect the Restricted data.  

Data Custodians 

Every system housing university data will have an assigned Data Custodian.  A “Data Custodian” is responsible for performing the initial data classification analysis when a new system comes online.  The Data Custodian is also responsible for updating a system’s data classification level when the data stored on the system meaningfully changes. 

The Chief Information Security Officer will serve as the Data Custodian whenever the university is unable to identify a Data Custodian for a system. 

Exceptions 

All exceptions to this policy require written approval from the Chief Information Security Officer.  All exceptions require annual renewal.

 

Appendix 

Definitions and Terms 

Information Technology Resources (ITRs) – This includes, but is not limited to, end-user computing devices, services, networks, email, software, printers, scanners, video distribution systems, telephone systems, fax systems, and other computer hardware and software, whether owned by the university or contracted by the university from a third party. 

Data Custodian – A university employee responsible for determining the data classification level for one or more systems housing university data. 

Additional required controls 

  • GLBA / Gramm-Leach-Bliley Act 
    Systems housing Restricted GLBA data must follow the controls in the GLBA Policy in addition to all controls normally applicable to Restricted data.  In case of conflict, the controls outlined in the GLBA Policy will be followed. 
    Nomenclature – Restricted-GLBA 
  • PCI-DSS / Payment Card Industry Data Security Standards 
    Systems housing Restricted PCI-DSS data must follow the controls in the Payment Card Industry Data Security Standards Policy in addition to all controls normally applicable to Restricted data.  In case of conflict, the controls outlined in the Payment Card Industry Data Security Standards Policy will be followed. 
    Nomenclature – Restricted-PCIDSS 

 

Revision History 

August 2024 – Policy adopted