The purpose of the data classification policy is to define different classifications of data and to describe principles for access, use, and safeguards of data, based on classification.
The following guidelines apply to data either owned by Middlebury, or to data that the institution has an interest in protecting. The scope of this policy is not limited to the Middlebury network but to all data stored and used on any Middlebury campus, or by any Middlebury affiliate or partner, regardless of format.
In an effort to prevent unauthorized disclosure of data, the classification system in this policy articulates the appropriate use, modification and disclosure of data, including thresholds for breached data based on the type of data in question. Exposure of data below these thresholds, while a security incident and a concern, may not constitute a violation of this policy. Exposure above these limits constitute a security breach, and would be considered a violation of this policy. For reference purposes, please note that Vermont Act 162 requires notification for breaches of personally identifiable information (PII) above 1,000 records.
This Policy applies to all individuals who access, use, or manage data owned by or protected by Middlebury College. This includes but is not limited to:
- Student Employees
- Agents of the College
- Parties affiliated with the College that have been granted access to College resources
All parties with access to data on the College network or other information stored by the College should be familiar with this policy. Information classified as Restricted Data requires strict security controls, will have limited access and disclosure, and may be subject to legal restrictions.
Data Stewards are responsible for the management of data. Each Data Set will have identified Data Stewards. Data Stewards are responsible for classifying the data and assigning the correct level of access to the data. Data stewards must ensure that the policy is enforced for their data set, and that the appropriate confidentiality, integrity and availability of the data are maintained.
Individuals with access to data have been granted a level of trust by the data stewards and as such are responsible for upholding the security and integrity of the data to which they have access, and should be aware of best practices in secure data management
Data Stewardship (please reference the Privacy section of Handbook)
The primary Data Stewards are department heads, or their designates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of institutional data. Currently, most data stewardship responsibilities are provided by Functional Area Leads and members of the Data Integrity Group.
It is a Data Steward’s responsibility to:
- develop consistent data definitions
- develop and adhere to data standards created by the institution
- document the business rules of their area
- monitor the quality of the data input and output from the systems they use
- define security requirements
- work with other data stewards on integration requirements
- communicate critical uses of data on which other departments depend
As data are developed, Data Stewards assure that storage of, and access to, the data is appropriately managed. This includes the documentation and classification of all forms, views, reports and all other forms of access in which this data is made visible.
The data stewardship function shall have one or more Data Stewards assigned to each data set. These sets belong to major categories of institutional data, including:
- Financial data (institutional, student)
- Employment data (faculty, staff, student)
- Academic data (student, prospective student, faculty)
- Health data (student)
- Philanthropic data (alumni, donors)
Data is organized into three distinct levels or classes: Level 1: Public Data, Level 2: Internal Data, and Level 3: Restricted Data. Each level or class of data has its own requirements with respect to safeguards and procedures in the event of inappropriate disclosure.
Level 1: Public Data
Public Data is considered to be any data that does not fall into the Internal Data or Restricted Data classes. The disclosure of Public Data does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access. There are no restrictions on the storage or distribution of Public Data.
Examples of Public Data include:
- Public Web Sites
- Marketing Materials
- Business Addresses
Level 2: Internal Data
Internal Data is data that, while not protected by state or federal law or regulatory standards, might impact Middlebury’s reputation or result in a civil action against the institution, should it be breached. Access to Internal Data should be limited to Data Stewards and only those members of the institution to whom Data Stewards have granted access. Regular audits of Internal Data should be conducted by the Data Stewards to ensure appropriate access. The exposure threshold for this classification of data is set at 750 records.
Examples of Internal Data include:
- Account Credentials
- Budget Information
- Research and Manuscripts
- Payroll and Employment Documentation
- Donation/Giving History
- Systems & Network Diagrams
- Strategic Information Unique to Middlebury
Access to Internal Data should be needs based, with the needs assessed by the Data Stewards.
Level 3: Restricted Data
Restricted Data is defined as data that is regulated by law or contract or, if exposed to unauthorized parties, could result in harm to individuals, reputational loss to the College, or punitive action. Regular audits of access to Restricted Data should be conducted by the data stewards to ensure appropriate access controls exist. The threshold for exposure of this category of data is set at 250 records.
Regulated Data Elements
- Social Security Number (PII)
- Driver's License ID Number (PII)
- Passport ID Number (PII)
- Tax ID Number (PII)
- Health Information (HIPAA)
- Class Schedules (FERPA)
- Academic Actions (FERPA)
- Grades and Transcripts (FERPA)
- Payment Card Data (PCI)
Other data elements that can be associated with an individual (PII), particularly when used in various combinations with regulated data elements, may be treated as Restricted Data, depending on the usage. When assessing data, each data set must be analyzed to determine if any given combination poses a risk.
Examples of Associated (PII) Data Elements
- Date of Birth
- Home Address
- Email Address
- Telephone Number
- Mother’s Maiden Name
- Employment History
Safeguards for Restricted Data should include an approved enterprise storage location and regular monitoring and auditing of access to Restricted Data. Additionally, access should be limited to only those who have a legitimate need to use Restricted Data. Transmission of Restricted Data outside of a Middlebury-approved enterprise storage location requires both encryption and verification of the identities of the recipient. Any Restricted Data transmitted from the enterprise storage location should be done in such a way that it cannot be modified. Restricted Data should not be stored unencrypted in cloud solutions, particularly those not contracted by the institution. Restricted Data should have a retention timeline and should be destroyed when no longer in use and when legally permissible. Data Stewards will work with ITS to ensure that appropriate technologies are available to provide adequate safeguards for Restricted Data while ensuring the availability for appropriate use.
In order to protect sensitive data, designated ITS staff may use auditing technologies to scan institutional technology systems. These technologies may include programs and utilities that allow for programmatic inspection of data and access permissions. The results of these scans may be centrally correlated for analysis in a secure environment. These technologies are not to be used to read the full context of the data, but rather to match established patterns, such as SSNs, Payment Card Data, etc.. Confidentiality of all information gathered as a result of auditing will be maintained at all times. Access to information obtained through auditing will be limited to designated staff.
|Security Protection||Level 1: Public Data||Level 2: Internal Data||Level 3: Restricted Data||Guideline(s)||Example(s)|
|Data Classification||✓||✓||✓||Know the level or class of the data that you are working with so that you can ensure that appropriate data security protections are employed.||Reference the Data Classification Policy to determine the level or class of the data that you are working with.|
|Access Controls||✓||✓||Electronic and physical access controls ensure that only authorized individuals can access the data.||Passwords and/or authentication systems must be used to control access to view any Internal Data and Restricted Data. Similarly, any physical copies of Internal Data and Restricted Data must be secured by lock and key.|
|Data Encryption||✓||✓||Encrypt data using industry-standard tools and technologies. Keep the encryption keys separate from the systems that contain the data.|
Windows users may use EFS to encrypt files and folders.
Mac users may use Disk Utility to encrypt files and folders.
|Security Monitoring||✓||Create and conduct security operations processes to monitor for unauthorized access attempts.||Must be able to document all instances of access to the data, whether authorized or unauthorized. This could be accomplished via an automated access log report.|
|Incident Response Plan||✓||An incident response plan must be created to direct the response to any/all unauthorized access.||Document the procedures that will be followed in the event of any/all unauthorized access or disclosure of the restricted data.|