Purpose:
The purpose of this standard is to assist Users, Stewards, Managers, and Information Service Providers in identifying what level of security is required to protect data for which they are responsible. The audience for this document is all students, faculty, staff, contractors, and vendors working with Santa Clara University data.
The information covered in this standard includes, but is not limited to, information that is stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
This standard divides data into three categories:
- LEVEL ONE: Private information that must be protected as required by law or industry regulation
- LEVEL TWO: Protected information that may be made available when authorized by an appropriate officer of the University
- LEVEL THREE: Public information
Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about this standard should be addressed to the Information Security Office.
Data Classification Standard:
There are specific laws and regulations that govern some kinds of data. Additionally, there are situations where you must consider whether the confidentiality, integrity, or availability of the data is a factor. Finally, consider that you may be storing information on more than one system, such as moving data between computers by CD, flash drive, or smartphone. If you rate only your primary computer as Level One, but not your secondary computer or the transfer media, the secondary computer or storage media could put data at risk if it isn’t well protected.
Level One Data:
University data protected specifically by federal or state law (HIPAA; FERPA; Sarbanes-Oxley; Gramm-Leach-Bliley), industry regulation (PCI-DSS), Santa Clara University rules and regulations (specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.)
Follow this link for Level One Data Classification Examples
Follow this link to learn How to Classify Data
Examples of How Data Can Be Lost:
- Laptop or other data storage system stolen from car, lab, or office.
- Research Assistant accesses system after leaving research project because passwords aren’t changed.
- Unauthorized visitor walks into unlocked lab or office and steals equipment or accesses unsecured computer.
- Unsecured application on a networked computer is hacked and data stolen.
Impact of Category-I Data Loss:
- Long-term loss of reputation
- Long-term loss of research funding from granting agencies
- Published research called into question because data is unreliable
- Unauthorized tampering of research data
- Increased regulatory requirements
- Long-term loss of critical campus or departmental service
- Individuals put at risk for identity theft
Protect Level One data by applying the appropriate Minimum Security Standard for Endpoints.
Level Two Data:
University data not otherwise identified as Level 1 data, but which are releasable when authorized by an appropriate officer of the University. Such data must be appropriately protected to ensure a controlled and lawful release.
Examples of How Data Can Be Lost:
In addition to the scenarios described for Level One Data,
- Staff member wanting to be helpful releases information they are not authorized to share.
Impact of Category-II Data Loss:
- Short-term loss of reputation
- Short-term loss of research funding
- Short-term loss of critical departmental service
- Unauthorized tampering of research data
- Individuals put at risk for identity theft
Protect Level Two data by applying the appropriate Minimum Security Standard for Endpoints.
Level Three Data:
University data not otherwise identified as Level One or Level Two data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
Examples of How Data Can Be Lost:
- See the above scenarios
Impact of Level Three Data Loss:
- Loss of use of personal workstation or laptop
- Loss of personal data with no impact to the university
Protect Level Three data by applying the appropriate Minimum Security Standard for Endpoints.
Scope:
All university data must be classified into one of the three categories in order to determine how to implement appropriate security measures to protect it. This standard emphasizes steps that you can take to protect data. For example, Level One information should not be left unattended in conference rooms or offices. Systems storing or sharing data will be configured consistent with the university Minimum Security Standards for Systems. Level One data has more stringent requirements than Levels Two and Three. However, all require some protective measures.
Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
Responsibility:
All users of Santa Clara data are responsible for compliance with this standard.
Procedures:
Non-Compliance and Exceptions:
- To request an exception complete the Policy Exception and Risk Assumption Form
- Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, expulsion, termination of employment, and possible civil and/or criminal prosecution to the full extent of the law.
Related Santa Clara Policies, Procedures, Best Practices, and Applicable Laws
- Data Classification Examples
- How to Classify Data
- Minimum Security Standards for Systems
- Information Security Policy Exception Request
- Information Resources Acceptable Use Agreement
Portions of this document are adapted with permission from the University of Texas at Austin, Stanford University, and the SANS Institute Security Policy Project.