The purpose of the data classification policy is to define different classifications of data and to describe principles for access, use, and safeguards of data, based on classification.
The following guidelines apply to data either owned by Middlebury, or to data that the institution has an interest in protecting. The scope of this policy is not limited to the Middlebury network but to all data stored and used on any Middlebury campus, or by any Middlebury affiliate or partner, regardless of format.
In an effort to prevent unauthorized disclosure of data, the classification system in this policy articulates the appropriate use, modification and disclosure of data, including thresholds for breached data based on the type of data in question. Exposure of data below these thresholds, while a security incident and a concern, may not constitute a violation of this policy. Exposure above these limits constitute a security breach, and would be considered a violation of this policy. For reference purposes, please note that Vermont Act 162 requires notification for breaches of personally identifiable information (PII) above 1,000 records.
This Policy applies to all individuals who access, use, or manage data owned by or protected by Middlebury College. This includes but is not limited to:
- Student Employees
- Agents of the College
- Parties affiliated with the College that have been granted access to College resources
All parties with access to data on the College network or other information stored by the College should be familiar with this policy. Information classified as Sensitive and Highly Sensitive requires strict security controls, will have limited access and disclosure, and may be subject to legal restrictions.
Data Stewards are responsible for the management of data. Each Data Set will have identified Data Stewards. Data Stewards are responsible for classifying the data, assigning the correct level of access to the data, and defining the retention policy for the data. Data stewards must ensure that the policy is enforced for their data set, and that the appropriate confidentiality, integrity and availability of the data are maintained.
Individuals with access to data have been granted a level of trust by the data stewards and as such are responsible for upholding the security and integrity of the data to which they have access, and should be aware of best practices in secure data management
The primary Data Stewards are department heads, or their delegates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of institutional data. Currently, most data stewardship responsibilities are provided by Functional Area Leads and members of the Data Integrity Group.
It is a Data Steward’s responsibility to:
- develop consistent data definitions
- develop and adhere to data standards created by the institution
- document the business rules of their area
- monitor the quality of the data input and output from the systems they use
- define security requirements
- work with other data stewards on integration requirements
- communicate critical uses of data on which other departments depend
As data are developed, Data Stewards assure that storage of, and access to, the data is appropriately managed. This includes the documentation and classification of all forms, views, reports and all other forms of access in which this data is made visible.
The data stewardship function shall have one or more Data Stewards assigned to each data set. These sets belong to major categories of institutional data, including:
- Financial data (institutional, student)
- Employment data (faculty, staff, student)
- Academic data (student, prospective student, faculty)
- Health data (student)
- Philanthropic data (alumni, donors)
Data is organized into four distinct levels or classes: Level 1: Public Data, Level 2: Private Data, Level 3: Sensitive Data, and Level 4: Highly Sensitive Data. Each level or class of data has its own requirements with respect to safeguards and procedures in the event of inappropriate disclosure.
Level 1: Public Data
Public Data is considered to be any data that does not fall into the Private Data or either of the two Sensitive Data classifications defined below. The disclosure of Public Data does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access. There are no restrictions on the storage or distribution of Public Data.
Examples of Public Data include:
- Public Web Sites
- Marketing Materials
- Business Addresses
Level 2: Private Data
Private Data, while not protected by state or federal law or regulatory standards, is data that might impact Middlebury’s reputation or result in a civil action against the institution, should it be breached. Access to Private Data should be limited to Data Stewards and only those members of the institution to whom Data Stewards have granted access. Regular audits of Private Data should be conducted by the Data Stewards to ensure appropriate access. The exposure threshold for Private Data is set at 750 records.
Examples of Private Data include:
- Account Credentials
- Budget Information
- Research and Manuscripts
- Payroll and Employment Documentation
- Donation/Giving History
- Systems & Network Diagrams
- Strategic Information Unique to Middlebury
Access to Private Data should be needs based, with the needs assessed by the Data Stewards.
Level 3: Sensitive Data
Sensitive Data is defined as data that is regulated by law or contract or, if exposed to unauthorized parties, could result in harm to individuals, reputational loss to the College, or punitive action. Regular audits of access to Sensitive Data should be conducted by the data stewards to ensure appropriate access controls exist. The threshold for exposure for Sensitive Data is set at 1 record.
Examples of Sensitive Data include:
- Social Security Number (PII)
- Driver’s License ID Number (PII)
- Passport ID Number (PII)
- Tax ID Number (PII)
- Health Information (HIPAA)
- Class Schedules (FERPA)
- Academic Actions (FERPA)
- Grades and Transcripts (FERPA)
- Payment Card Data (PCI)
Other data elements that can be associated with an individual (PII), particularly when used in various combinations with regulated data elements, may be treated as Sensitive Data, depending on the usage. When assessing data, each data set must be analyzed to determine if any given combination poses a risk.
Examples of Associated (PII) Sensitive Data Elements include:
- Date of Birth
- Home Address
- Email Address
- Telephone Number
- Mother’s Maiden Name
- Employment History
Safeguards for Sensitive Data should include an approved enterprise storage location and regular monitoring and auditing of access to Sensitive Data. Additionally, access should be limited to only those who have a legitimate need to use Sensitive Data. Transmission of Sensitive Data outside of a Middlebury-approved enterprise storage location requires both encryption and verification of the identities of the recipient. Any Sensitive Data transmitted from the enterprise storage location should be done in such a way that it cannot be modified. Sensitive Data should not be stored unencrypted in cloud solutions, particularly those not contracted by the institution. Sensitive Data should have a retention timeline and should be destroyed when no longer in use and when legally permissible. Data Stewards will work with ITS to ensure that appropriate technologies are available to provide adequate safeguards for Sensitive Data while ensuring the availability for appropriate use.
Level 4: Highly Sensitive Data
Highly Sensitive Data is defined as data that has privacy and security requirements that exceed Middlebury’s normal security standards. Highly Sensitive Data may be subject to additional security protections and controls. Please consult Middlebury Information Security for guidance on safe handling of Highly Sensitive Data. The threshold for exposure for Highly Sensitive Data is set at 1 record.
Examples of Highly Sensitive Data
- Legal matters
- Certain types of research information
In order to protect sensitive data, designated ITS staff may use auditing technologies to scan institutional technology systems. These technologies may include programs and utilities that allow for programmatic inspection of data and access permissions. The results of these scans may be centrally correlated for analysis in a secure environment. These technologies are not to be used to read the full context of the data, but rather to match established patterns, such as SSNs, Payment Card Data, etc.. Confidentiality of all information gathered as a result of auditing will be maintained at all times. Access to information obtained through auditing will be limited to designated staff.
Data Security Guidelines
The following is intended to present a simplified view of the different types of security protections that should be ensured for the different levels or classes of data.
|Data Classification||✓||✓||✓||✓||Know the level or class of the data that you are working with so that you can ensure that appropriate data security protections are employed.||Reference the Data Classification Policy to determine the level or class of the data that you are working with.|
|Access Controls||✓||✓||✓||Electronic and physical access controls ensure that only authorized individuals can access the data.||Passwords and/or authentication systems must be used to control access to view any Internal Data and Restricted Data. Similarly, any physical copies of Internal Data and Restricted Data must be secured by lock and key.|
|Data Encryption||✓||✓||✓||Encrypt data using industry-standard tools and technologies. Keep the encryption keys separate from the systems that contain the data.||
Windows users may use EFS to encrypt files and folders.
Mac users may use Disk Utility to encrypt files and folders.
|Security Monitoring||✓||✓||Create and conduct security operations processes to monitor for unauthorized access attempts.||Must be able to document all instances of access to the data, whether authorized or unauthorized. This could be accomplished via an automated access log report.|
|Incident Response Plan||✓||✓||An incident response plan must be created to direct the response to any/all unauthorized access.||Document the procedures that will be followed in the event of any/all unauthorized access or disclosure of the restricted data.|
|Additional Security Requirements||✓||Meet additional security requirements.||Contact InfoSec!|