What is the Data Classification Policy
The Data Classification Policy is a policy effort to identify and classify Middlebury's data as either extremely sensitive, internal or public.
What are the different classes of data
There are three classes of data as defined in the policy:
Extremely Sensitive Data is data which is regulated by state or federal law or contractual obligation.
Internal Data is data that is not regulated but if breached could result in civil or reputational damage to the College.
Public data is all other data which, more importantly if breached or disclosed would not harm the College.
What is a Data Steward
A Data Steward is an individual who is responsible for the management and protection of a data set. As defined in the policy a data steward is, "The primary Data Stewards are department heads, or their designates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of institutional data."
I think I am a Data Steward, What do I need to do
Quite simply your roll as a data steward is to manage your data. Become familiar with the data you work with and those who have access to it. Ensure that nobody is accessing the data who should not be and that those who are do not have more access than they should. This does not mean you need to change anything today and more information and support will come with time.
What does the policy mean for me
There are several stages to implementing the Data Classification Policy. This policy was passed in 2013 and applies to the entire institution. As an initial phase we need to make sure that everyone is aware of the policy. Regardless of your roll in the institution you handle data at some point. Custodians are exposed to data when they clean offices and Faculty are exposed to student records. Managers are exposed to payroll data while maintenance staff are exposed to MSDS sheets. We all work with data.
As we learn about the policy we need to identify Data Stewards for each functional area and their respective data sets. We also need to identify all of the different data stores across the institution. This is not a small job.
As we become more familiar with the policy and the ensuing processes we will start to re-organize the data and find different ways to operate around the data which are more secure. This implementation process will come with time. The roles of the data stewards will become more clearly defined in this process.
Once we as an institution have identified all of the different data sets and have become comfortable with what the policy means across our campuses we will find ways for holding ourselves accountable to the policy. For now we need to work on thinking about data differently.
Why do we have to classify our data
There are four primary reasons to classify data:
1. Compliance: Middlebury is making a significant effort to comply with state and federal regulations as well as a number of standards such as PCI. many of these require some level of data classification and protection.
2. Security: It is much more difficult to secure data when you do not know what you have where. As an effort to secure the assets of Middlebury College the data classification will go a long way to simplify this effort.
3. Organization and identification of data: through the organization of data it will be easier to know what we have and where it is located. This will help with data retention efforts, storage efforts, budget and simply finding information.
4. Knowing what types of data we have helps to know how they are protected. For example, credit card information is not allowed to be stored for any reason. Knowing if we have any of this information will help us to remove the data for compliance information. In contrast, knowing where Social Security Numbers may be located will help us to streamline business practices and secure this critical data against identity theft and help the College comply with many different regulations and standards.