Home > Policies > Procedures Manual > Business > 04-013 Data Classification and Access Policy

04-013 Data Classification and Access Policy

Last Update: November 5, 2025

Approved: November 4, 2025 by President Zvi Szafran

Policy Contact: Chief Information Officer

Supersedes:


I. SCOPE

This policy applies to all individuals with SUNY Canton employee-level permission to use network and electronic resources (i.e., faculty, staff, and campus-affiliated individuals and organizations), as well as to external vendors and contractors who receive and maintain collections of institutional data.

II. POLICY STATEMENT

The purpose of this policyis to establish a framework for classifying institutional data based on its level of sensitivity and criticality to the College. Classification of data will aid in determining minimum security controls for the protection of data in how we access, save, send, and store data. Minimum security controls will be implemented in accordance with policy, regulatory requirements, and available institutional resources.

III. POLICY

All institutional data stored on college systems, or non-college owned resources where college business is transacted, will be classified into one of the three categories defined by this policy. Based on the classification, Data Stewards, Data Custodians, and Data Users are required to implement appropriate administrative, technical, and physical controls to protect the data in keeping with the classification of that data.

Compliance with this policy and the corresponding minimum security standards must be incorporated into business processes to ensure data is properly secured. Data that is personal to the operator of a system and stored on a college information technology resource as a result of incidental personal use is not considered institutional data. College data stored on non-college IT resources must still be protected according to respective minimum-security standards.

When information from multiple classifications is co-located on the same system without effective means of isolation, or within the same repository, database, archive, or record, the minimum-security controls of the category representing the highest risk must be applied.

If a Data Steward, Data Custodian, or Data User discovers a security breach of any kind it must be immediately reported to the Information Services (IS) Helpdesk. The IS team will take immediate action to mitigate the breach and begin forensic discovery.

Data Risk Classification Category

Category 3

Risk to College from Disclosure

High

Definition
  • The loss of confidentiality, integrity, or availability of the data or system would likely have a significant, adverse impact on the College's mission, safety, finances, or reputation.
  • Protection of the data is required by law/regulation or contractual agreement or is otherwise highly sensitive.
  • Data in this category includes private information defined in the New York State Security and Breach Notification Act.
  • Data in this category may be exempt from disclosure/release under the New York State Freedom of Information Law (FOIL).
  • Data in this category often has mandatory notification requirements in the event of inadvertent disclosure.

Examples
  • Social security number (SSN)
  • Driver license number
  • State-issued non-driver ID number
  • Bank/financial account number
  • Credit/debit card number (CCN)
  • Protected Health Information (PHI)
  • Passport number
  • College I.T. authentication credentials
  • Export controlled data
  • Large (1,000+ records) data sets of Category 2 records, including education and employee records

Data Risk Classification Category

Category 2

Risk to College from Disclosure

Moderate

Definition
  • The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on the College's mission, safety, finances, or reputation.
  • Protection of data may be required by law/regulation or contract.
  • Includes College Data not identified as Category 3 data and protected by state and federal laws and regulations. This includesFERPA-protected student records and records that are specificallyexempted from the disclosure requirements of New York State (NYS) FOIL.
  • Data qualified to be released under the NYS FOIL is not, by definition, exempt from classification as Category 2.
  • Data in this category must be protected to ensure that it is not inadvertently or unnecessarily disclosed.

Examples
  • Small sets of education and employee records (under 1,000 records)
  • Personal information of employees and affiliates (salary, personnel files, disciplinary actions, home address)
  • Law enforcement investigation data, judicial proceedings data includes student disciplinary or judicial action information
  • Public safety information
  • IT infrastructure data
  • Collective bargaining negotiation data, contract negotiation data
  • Trade secret data
  • Protected data related to research
  • College intellectual property
  • College proprietary data
  • Data protected by external non-disclosure agreements
  • Inter- or intra-agency data which are not: statistical or factual tabulations, instructions to staff that affect the public, final agency policy or determination
  • Audit data
  • Licensed software
  • Non-public intellectual property
  • Documents protected by attorney-client privilege

Data Risk Classification Category

Category 1

Risk to College from Disclosure

Low

Definition
  • Includes College Data not included in Category 3 or Category 2 and data that are intended for public disclosure. The loss of confidentiality of this data or the systems containing it would have insignificant impact on the College's mission, safety, finances, or reputation.
  • This category includes general access data, such as that available on unauthenticated portions of the College's website.
  • Public data have no requirements for confidentiality; however, systems housing the data should take reasonable measures to protect its integrity and availability.

Examples
  • General access data, such as that on unauthenticated portions of the institution's website
  • Select HR directory information (name, department, position title, campus address)
  • Statistical information released to federal, state, or other agencies for public disclosure

IV. DEFINITIONS

Data Users:Employees or agents of the College who access enterprise data in performance of their assigned duties.

Data Custodians:College officials and their staff who have operational-level responsibility for the capture, maintenance, dissemination, and storage of enterprise data.

Data Stewards:College administrators whose areas have responsibility for managing a segment of the College’s enterprise data resources.

Institutional Data: Information collected or created through a function of the university.

Incidental Personal Use: Limited, non-business use of employer-provided technology resources—such as computers, email systems, and internet access—by employees, if that use: 1) Does not interfere with work duties or the performance of job responsibilities. 2) Does not incur additional costs to the employer or require significant use of resources. 3) Does not violate policies, laws, or regulations, especially those related to data security and confidentiality. 4) Is occasional and reasonable, not habitual or excessive.

Information Technology Resources: Refers to the College’s information assets (i.e. hardware, software, or data) used by employees, students, and affiliates for college business.

Affiliated Individuals and Organizations:External organizations, and their employees and volunteers, whose activities significantly assist SUNY Canton in advancing and achieving its strategic goals. Examples include, but are not limited to, College Association, the College Foundation, the Research Foundation of New York, and the Cornell Cooperative Extension and its partners.

V. OTHER RELATED INFORMATION

VI. PROCEDURES

None

VII. FORMS

None

VIII. AUTHORITY

NYS and SUNY Mandated Policy, Regulatory Compliance

IX. APPENDICES

Appendix A: Data Classification Roles and Responsibilities

X. FREQUENCY OF REVIEW AND UPDATE

Policies will have a normal review period of every three (3) years unless required otherwise

 

Appendix A: Data Classification Roles and Responsibilities

Information Security Working Group (ISWG): The Information Security Working Group will be responsible for reviewing and updating this policy as necessary. This committee shall be composed of the appropriate individuals from Information Services, Banner Advisory, and select functional offices.

Information Services Group (ISG): A team from Information Services will approve how enterprise data is stored, processed, and transmitted by the university and by third-party agents of the College. This approval will be handled through review of data flow documentation maintained by a Data Custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how enterprise data is or will be stored, processed, and transmitted.

Data Steward: Data Stewards are college administrators whose areas have responsibility for managing a segment of the university's enterprise data resources. Responsibilities of a Data Steward include the following:

  • Determining the appropriate criteria for obtaining access to enterprise data - A Data Steward is accountable for who has access to enterprise data. This does not imply that a Data Steward is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a Data Custodian in conjunction with Information Services (IS). A Data Steward may decide to review and authorize each access request individually, or a Data Steward may define a set of rules that determine who is eligible for access based on business function, support role, etc. These rules should be documented in a manner that allows little or no room for interpretation by a Data Custodian. If no rule is present for a data set, the Data Custodian must consult the Data Steward before granting access or releasing data.
  • Understanding how enterprise data is stored, processed, and transmitted by the university and by third party agents of the university - While the ISG team is responsible for approving how enterprise data is stored, processed, and transmitted based on SUNY's Information Security policy, it is important for the Data Steward to understand these important standards in order to ensure reasonable and appropriate security controls are implemented. This can be accomplished through review of data flow documentation maintained by a Data Custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how data is or will be stored, processed, and transmitted.
  • Understanding risk tolerance and accepting or rejecting risk related to security threats that impact the confidentiality, integrity, and availability of enterprise data - Information security requires a balance between security, usability, and available resources. Risk management plays an important role in establishing this balance. Understanding what classifications of data are being stored, processed, and transmitted will allow Data Stewards to better assess risks. Understanding legal obligations and the cost of non-compliance will also play a role in this decision-making. Both the ISWG and SUNY counsel can assist Data Stewards in understanding risks and weighing options related to data protection.
  • Understanding how enterprise data is governed by university policies, state and federal regulations, contracts, and other legally binding agreements - Data Stewards should understand whether or not any university policies govern their enterprise data. Data Stewards are responsible for having a general understanding of legal and contractual obligations surrounding enterprise data. SUNY counsel and the SUNY Information Security policy can assist Data Stewards in gaining a better understanding of legal obligations.

Data Custodian: A Data Custodian is an employee of the university who has operational responsibility over enterprise data. In many cases, there will be multiple Data Custodians. An enterprise application may have teams of Data Custodians, each responsible for varying functions. A Data Custodian is responsible for the following:

  • Understanding and reporting on how enterprise data is stored, processed, and transmitted by the university and by third-party agents of the university - Understanding and documenting how enterprise data is being stored, processed, and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed, and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of the approach, documentation should exist and be made available to the appropriate Data Steward. Transmitting, storing, and processing of data should be in conjunction with Information Services.
  • Implementing appropriate physical and technical safeguards to protect the confidentiality, integrity, and availability of enterprise data - ISG will implement reasonable and appropriate security controls for the classifications of data. Contractual obligations, regulatory requirements, and industry standards also play an important role in implementing appropriate safeguards. Data Custodians should work with Data Stewards to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps may exist in current controls. This documentation should be made available to the appropriate Data Steward.
  • Documenting and disseminating administrative and operational procedures to ensure consistent storage, processing, and transmission of enterprise data - Documenting operational procedures goes hand in hand with understanding how data is stored, processed, and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that university data is handled in a consistent manner. This will also help ensure that safeguards are being effectively leveraged.
  • Provisioning and de-provisioning access to enterprise data as authorized by the Data Steward - Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Steward. As specified above, standard procedures for provisioning and de-provisioning access should be documented and made available to the appropriate Data Steward.
  • Understanding and reporting on security risks and how they impact the confidentiality, integrity, and availability of enterprise data - Data Custodians should have a thorough understanding of security risks impacting their enterprise data. Security risks should be documented and reviewed with the appropriate Data Steward so that the Data Steward can determine whether greater resources need to be devoted to mitigating these risks. The ISG team can assist Data Custodians with gaining a better understanding of their security risks.

Data Consumer: A Data Consumer is a person that has been authorized access to specific enterprise data. Data Consumers/Users are required to abide by all data classification rules defined by both this policy and the Data Custodian.