Policies

Data Classification Standard

Hendrix College, Technology Services
Policy # 12100
Effective: Friday, April 27, 2018
Purpose

The purpose of this Standard is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the College as required by the College's Information Security Policy. Classification of data will aid in determining baseline security controls for the protection of data.

Additional Authority

  • Health Insurance Portability and Accountability Act (HIPAA) Security Regulations 45 CFR Parts 160, 162, and 164
  • Health Information Technology for Economic and Clinical Health (HITECH) Act Section 13405(c), which expands an individual's right under HIPAA
  • Family Educational Government Rights and Privacy Act (FERPA) Regulations CFR Part 99
  • Department of Health and Human Government Services (HHS) Title 45 CFR Part 46 Protection of Human Subjects.
  • Personal Information Protection Act - AR Code § 4-110-101 (2017)
  • Protecting controlled unclassified information in non-federal systems - NIST SP 800-171 REV.2
  • Hendrix Catalog -Family Educational Rights and Privacy Act
     

Scope

This Data Classification Standard covers information prepared, managed, used, or retained by a Division or employee of Hendrix College relating to the activities or operations of the College.  Hendrix data does not include individually-owned data, which is defined as an individual's personal information that is not related to College business.

This classification does not cover evaluation of data availability requirements. Refer to business continuity plans for guidance regarding data availability requirements.

Responsible Party

Chief Information Officer

1. Statement

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.

All institutional data should be classified into one of three sensitivity levels, or classifications:

Data ClassAdverse Business ImpactDefinition and examples
RestrictedHigh

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the College, including data elements that have a statutory requirement for notification to affected parties in case of a confidentiality breach:

  • Social security number
  • Driver's license number or Arkansas identification card number;
  • Financial account numbers, credit or debit card number financial account security codes, access codes, or passwords
  • Personal medical information
  • Personal health insurance information

The highest level of security controls should be applied to Restricted data.

PrivateModerate

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College.

This level of information is intended for release only on a need-to-know basis, including personal information not classified as Restricted. Examples include:

  • FERPA student records (including Student ID)
  • Staff and academic personnel records (including Employee ID)
  • Licensed software/software license keys
  • Library paid subscription electronic resources

By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. 

A reasonable level of security controls should be applied to Private data.

PublicLimited or none

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the College.

Examples of Public data include:

  • Public directory information
  • Public websites
  • Press releases
  • Course listings and pre-requisites

While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

2. Business Impact

Considerations for evaluating potential adverse business impact to the campus due to loss of data confidentiality or integrity include:

  • Loss of critical campus operations
  • Negative financial impact (money lost, lost opportunities, value of the data)
  • Damage to the reputation of the College
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs

Violation of the College's mission, policies, or principles

3. Definitions

Institutional Data 

All information prepared, managed, used, or retained by a Division or employee of Hendrix College relating to the activities or operations of the College.  Institutional data does not include individually-owned data, which is defined as an individual's personal information that is not related to College business.

Statutory Requirement of Notification

The Arkansas Personal Information Protection Act (AR Code § 4-110) and other legal statues, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information including individual's first name or first initial and his or her last name in combination with:

  • Social security number
  • Driver's license number or Arkansas identification card number;
  • Financial account numbers, credit or debit card number financial account security codes, access codes, or passwords

Health information includes:

  • Personal medical information
  • Personal health insurance information
FERPA student records

Student record data designated as Private include, but are not limited to:

  • Transcripts (grades)
  • Exam papers
  • Test scores
  • Evaluations
  • Financial aid records
  • Loan collection records
  • Public directory information for students who have requested that information about them not be released as public information

Restricted student record data is included in the list under the Statutory Requirement of Notification section above.

Personnel Records

Faculty and Staff personnel records designated as Private include, but are not limited to:

  • Home telephone number and home address
  • Spouse's or other relatives' names
  • Birth date
  • Citizenship
  • Income tax withholdings
  • Information relating to evaluation of performance
Public directory information
Public Faculty and Staff personnel data:
  • Name
  • Date of hire
  • Current position title
  • Organizational unit assignment
  • Date of separation
  • Office address and office telephone number
  • Current job description
  • Full-time or part-time, and appointment type
Student Directory data

The Hendrix Catalog's Student Record Policy defines public directory information as:

  • Student's name, address, telephone number (permanent and local);
  • Date and place of birth;
  • Dates of attendance at the College, major fields of study, current classification, degrees, honors, and awards;
  • Previous schools attended, and degrees awarded;
  • Heights and weights of members of athletic teams;
  • Participation in officially recognized activities;
  • E-mail address;
  • Class schedule/roster;
  • Full or part-time status;
  • Photograph.

Revisions

Date Change
3/11/2018 Initial Draft
4/30/2018 Second Draft
3/6/2019 Updated Names of Data Classifications to have numerical levels and more clearly defined labels