Data Classification Policy

Purpose
The purpose of the data classification policy is to define different classifications of data and to describe principles for access, use, and safeguards of data, based on classification.

Scope
The following guidelines apply to data either owned by Middlebury, or to data that the institution has an interest in protecting. The scope of this policy is not limited to the Middlebury network but to all data stored and used on any Middlebury campus, or by any Middlebury affiliate or partner, regardless of format.

In an effort to prevent unauthorized disclosure of data, the classification system in this policy articulates the appropriate use, modification and disclosure of data, including thresholds for breached data based on the type of data in question. Exposure of data below these thresholds, while a security incident and a concern, may not constitute a violation of this policy. Exposure above these limits constitute a security breach, and would be considered a violation of this policy. For reference purposes, please note that Vermont Act 162 requires notification for breaches of personally identifiable information (PII) above 1,000 records.

Policy

Access
This Policy applies to all individuals who access, use, or manage data owned by or protected by Middlebury College. This includes but is not limited to:

  • Faculty
  • Staff
  • Student Employees
  • Agents of the College
  • Parties affiliated with the College that have been granted access to College resources

All parties with access to data on the College network or other information stored by the College should be familiar with this policy. Information classified as Restricted Data requires strict security controls, will have limited access and disclosure, and may be subject to legal restrictions.

Responsibilities
Data Stewards are responsible for the management of data. Each Data Set will have identified Data Stewards. Data Stewards are responsible for classifying the data and assigning the correct level of access to the data. Data stewards must ensure that the policy is enforced for their data set, and that the appropriate confidentiality, integrity and availability of the data are maintained.

Individuals with access to data have been granted a level of trust by the data stewards and as such are responsible for upholding the security and integrity of the data to which they have access, and should be aware of best practices in secure data management

Data Stewardship (please reference the Privacy section of Handbook)
The primary Data Stewards are department heads, or their designates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of institutional data. Currently, most data stewardship responsibilities are provided by Functional Area Leads and members of the Data Integrity Group.

It is a Data Steward’s responsibility to:

  • develop consistent data definitions
  • develop and adhere to data standards created by the institution
  • document the business rules of their area
  • monitor the quality of the data input and output from the systems they use
  • define security requirements
  • work with other data stewards on integration requirements
  • communicate critical uses of data on which other departments depend

As data are developed, Data Stewards assure that storage of, and access to, the data is appropriately managed. This includes the documentation and classification of all forms, views, reports and all other forms of access in which this data is made visible.

The data stewardship function shall have one or more Data Stewards assigned to each data set. These sets belong to major categories of institutional data, including:

  • Financial data (institutional, student)
  • Employment data (faculty, staff, student)
  • Academic data (student, prospective student, faculty)
  • Health data (student)
  • Philanthropic data (alumni, donors)


Data Classification
Data is organized into three distinct levels or classes: Level 1: Public Data, Level 2: Internal Data, and Level 3: Restricted Data. Each level or class of data has its own requirements with respect to safeguards and procedures in the event of inappropriate disclosure.

Level 1: Public Data
Public Data is considered to be any data that does not fall into the Internal Data or Restricted Data classes. The disclosure of Public Data does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access. There are no restrictions on the storage or distribution of Public Data.

Examples of Public Data include:

  • Public Web Sites
  • Marketing Materials
  • Business Addresses

Level 2: Internal Data
Internal Data is data that, while not protected by state or federal law or regulatory standards, might impact Middlebury’s reputation or result in a civil action against the institution, should it be breached. Access to Internal Data should be limited to Data Stewards and only those members of the institution to whom Data Stewards have granted access. Regular audits of Internal Data should be conducted by the Data Stewards to ensure appropriate access. The exposure threshold for this classification of data is set at 750 records.

Examples of Internal Data include:

  • Account Credentials
  • Budget Information
  • Research and Manuscripts
  • Payroll and Employment Documentation
  • Donation/Giving History
  • Systems & Network Diagrams
  • Strategic Information Unique to Middlebury


Access to Internal Data should be needs based, with the needs assessed by the Data Stewards.

Level 3: Restricted Data
Restricted Data is defined as data that is regulated by law or contract or, if exposed to unauthorized parties, could result in reputational loss to the College or punitive action. Regular audits of access to Restricted Data should be conducted by the data stewards to ensure appropriate access controls exist. The threshold for exposure of this category of data is set at 250 records.

Regulated Data Elements

  • Social Security Number (PII)
  • Driver's License ID Number (PII)
  • Passport ID Number (PII)
  • Tax ID Number (PII)
  • Health Information (HIPAA)
  • Class Schedules (FERPA)
  • Academic Actions (FERPA)
  • Grades and Transcripts (FERPA)
  • Payment Card Data (PCI)

Other data elements that can be associated with an individual (PII), particularly when used in various combinations with regulated data elements, may be treated as Restricted Data, depending on the usage. When assessing data, each data set must be analyzed to determine if any given combination poses a risk.

Examples of Associated (PII) Data Elements

  • Name
  • Date of Birth
  • Home Address
  • Email Address
  • Telephone Number
  • Mother’s Maiden Name
  • Employment History

Safeguards for Restricted Data should include an approved enterprise storage location and regular monitoring and auditing of access to Restricted Data. Additionally, access should be limited to only those who have a legitimate need to use Restricted Data. Transmission of Restricted Data outside of a Middlebury-approved enterprise storage location requires both encryption and verification of the identities of the recipient. Any Restricted Data transmitted from the enterprise storage location should be done in such a way that it cannot be modified. Restricted Data should not be stored unencrypted in cloud solutions, particularly those not contracted by the institution. Restricted Data should have a retention timeline and should be destroyed when no longer in use and when legally permissible. Data Stewards will work with ITS to ensure that appropriate technologies are available to provide adequate safeguards for Restricted Data while ensuring the availability for appropriate use.


Auditing

In order to protect sensitive data, designated ITS staff may use auditing technologies to scan institutional technology systems. These technologies may include programs and utilities that allow for programmatic inspection of data and access permissions. The results of these scans may be centrally correlated for analysis in a secure environment. These technologies are not to be used to read the full context of the data, but rather to match established patterns, such as SSNs, Payment Card Data, etc.. Confidentiality of all information gathered as a result of auditing will be maintained at all times. Access to information obtained through auditing will be limited to designated staff.

Data Security Guidelines

The following is intended to present a simplified view of the different types of security protections that should be ensured for the different levels or classes of data.

Security ProtectionLevel 1: Public DataLevel 2: Internal DataLevel 3: Restricted DataGuideline(s)Example(s)
Data ClassificationKnow the level or class of the data that you are working with so that you can ensure that appropriate data security protections are employed.Reference the Data Classification Policy to determine the level or class of the data that you are working with.
Access ControlsElectronic and physical access controls ensure that only authorized individuals can access the data.Passwords and/or authentication systems must be used to control access to view any Internal Data and Restricted Data, and to modify any Public Data. Similarly, any physical copies of Internal Data and Restricted Data must be secured by lock and key.
Data EncryptionEncrypt data using industry-standard tools and technologies. Keep the encryption keys separate from the systems that contain the data.

Windows users may use EFS to encrypt files and folders.

Mac users may use Disk Utility to encrypt files and folders

Security MonitoringCreate and conduct security operations processes to monitor for unauthorized access attempts.Must be able to document all instances of access to the data, whether authorized or unauthorized. This could be accomplished via an automated access log report.