Applies to: (examples; Faculty,Staff, Students, etc)
Faculty , Staff , Students , Contractors_Vendors
Faculty , Staff , Students , Contractors_Vendors
College Data is information generated by or for, owned by, or otherwise in the possession of STLCOP that is related to the College’s activities. College Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of STLCOP.
Applies to all active members of the College community, including faculty, students, staff, and affiliates, and to authorized visitors, guests, and others for whom College technology resources and network access are made available by the College. This policy also applies to campus visitors who avail themselves of the College’s temporary visitor wireless network access, and to those who register their computers and other devices through Conference and Event Services programs or through other offices, for use of the campus network.
Term | Definition |
Chief Information Security Officer (CISO) | The Information Technology employee designated to serve as the primary person responsible for information security. |
Information Security Team | Employees designated to manage breaches under the Security Incident Response policy. |
In order to effectively secure College Data, we must have a vocabulary that we can use to describe the data and quantify the amount of protection required. This policy defines four categories into which all College Data can be divided:
College Data that is classified as Public may be disclosed to any person regardless of their affiliation with the College. All other College Data is considered Sensitive Information and must be protected appropriately. This document provides definitions for and examples of each of the four categories. Other policies within the Data Protection Standards specify the security controls that are required for each category of data.
The various units and departments at the College have a multitude of types of documents and data. To the extent particular documents or data types are not explicitly addressed within this policy, each business unit or department should classify its data by considering the potential for harm to individuals or the College in the event of unintended disclosure, modification, or loss. The Departmental Security Administrator (defined in the Data Management Guide) may assist with the classification process and coordinate with the STLCOP Information Security Team to achieve consistency across the College. When classifying data, each department should weigh the risk created by an unintended disclosure, modification or loss against the need to encourage open discussion, improve efficiency and further the College’s goals of the creation and dissemination of knowledge. Departments should be particularly mindful to protect sensitive personal information, such as Social Security Numbers, drivers’ license numbers and financial account numbers, disclosure of which may create the risk of identity theft.
Some information could be classified differently at different times. For example, information that was once considered to be Confidential data may become Public data once it has been appropriately disclosed. Everyone with access to College Data should exercise good judgment in handling sensitive information and seek guidance from management as needed.
Scope
This classification scheme is to be applied to all College Data, both physical and electronic, throughout STLCOP. No data item is too small to be classified.
Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that does not require any level of protection from disclosure. While it may be necessary to protect original (source) documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the College community, and no steps need be taken to prevent its distribution.
Examples of Public data include press releases, directory information (not subject to a FERPA block), course catalogs, application and request forms, and other general information that is openly shared. The type of information a department would choose to post on its website is a good example of Public data.
Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of the College without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as Internal where appropriate. If you have questions about whether information is Internal or how to treat internal data, you should talk to your dean or department head.
Examples of Internal data include: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain private.
Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of STLCOP. This classification also includes data that the College is required to keep confidential, either by law (e.g., FERPA) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification. Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.
Any unauthorized disclosure or loss of confidential data must be reported to the appropriate dean or department head. The dean or department head should determine whether to report the unauthorized disclosure or loss of confidential data to the IT Department Chief Information Security Officer (“CISO”).
Examples of Confidential data include:
Restricted Use data includes any information that STLCOP has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require the College to notify the affected individual and state or federal authorities. In some cases, modification of the data would require informing the affected individual.
The College’s obligations will depend on the particular data and the relevant contract or laws. The Minimum Security Standards Policy sets a baseline for all Restricted Use data. Systems and processes protecting the following types of data need to meet that baseline:
More stringent requirements exist for some types of Restricted Use data. Individuals working with the following types of data must follow the College policies governing those types of data and consult with the Information Security Team to ensure they meet all of the requirements of their data type:
Restricted Use data should be used only when no alternative exists and must be carefully protected. Any unauthorized disclosure, unauthorized modification, or loss of Restricted Use data must be reported to the STLCOP Security Incident Response Team. Please see the Security Incident Response Policy
Some data may be subject to specific protection requirements under a contract or grant, or according to a law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If you have questions, please contact Information Security.
Important
Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or STLCOP. The unauthorized or unacceptable use of College Data, including the failure to comply with these standards, constitutes a violation of College policy and may subject the User to revocation of the privilege to use College Data or Information Technology or disciplinary action, up to and including termination of employment.
Position/Office/Department | Responsibility |
All computer and infrastructure users | Abide by College Data Classification Policy |
Director, Information Technology | Serve as Chief Information Security Officer (CISO) |
Data Protection Standards policies
Digital Millennium Copyright Act Policy
Security Incident Response Policy
Health Insurance Portability and Accountability Act (HIPAA) Policy
Name | Contact Information |
Lewis, Zachary, Director IT | Zachary.Lewis@stlcop.edu, 314-446-8402 |
Knoll, Eric, Vice President Operations | Eric.Knoll@stlcop.edu, 314-446-8375 |