Home > Policies > Procedures Manual > Business > 04-013 Data Classification and Access Policy

04-013 Data Classification and Access Policy

I. SCOPE

This policy applies to all individuals with SUNY Canton employee-level permission to use network and electronic resources (i.e., faculty, staff, and campus-affiliated individuals and organizations), as well as to external vendors and contractors who receive and maintain collections of institutional data.

II. POLICY STATEMENT

The purpose of this policyis to establish a framework for classifying institutional data based on its level of sensitivity and criticality to the College. Classification of data will aid in determining minimum security controls for the protection of data in how we access, save, send, and store data. Minimum security controls will be implemented in accordance with policy, regulatory requirements, and available institutional resources.

III. POLICY

All institutional data stored on college systems, or non-college owned resources where college business is transacted, will be classified into one of the three categories defined by this policy. Based on the classification, Data Stewards, Data Custodians, and Data Users are required to implement appropriate administrative, technical, and physical controls to protect the data in keeping with the classification of that data.

Compliance with this policy and the corresponding minimum security standards must be incorporated into business processes to ensure data is properly secured. Data that is personal to the operator of a system and stored on a college information technology resource as a result of incidental personal use is not considered institutional data. College data stored on non-college IT resources must still be protected according to respective minimum-security standards.

When information from multiple classifications is co-located on the same system without effective means of isolation, or within the same repository, database, archive, or record, the minimum-security controls of the category representing the highest risk must be applied.

If a Data Steward, Data Custodian, or Data User discovers a security breach of any kind it must be immediately reported to the Information Services (IS) Helpdesk. The IS team will take immediate action to mitigate the breach and begin forensic discovery.

Data Risk Classification Category	Category 3
Risk to College from Disclosure	High
Definition	The loss of confidentiality, integrity, or availability of the data or system would likely have a significant, adverse impact on the College's mission, safety, finances, or reputation. Protection of the data is required by law/regulation or contractual agreement or is otherwise highly sensitive. Data in this category includes private information defined in the New York State Security and Breach Notification Act. Data in this category may be exempt from disclosure/release under the New York State Freedom of Information Law (FOIL). Data in this category often has mandatory notification requirements in the event of inadvertent disclosure.
Examples	Social security number (SSN) Driver license number State-issued non-driver ID number Bank/financial account number Credit/debit card number (CCN) Protected Health Information (PHI) Passport number College I.T. authentication credentials Export controlled data Large (1,000+ records) data sets of Category 2 records, including education and employee records

Data Risk Classification Category	Category 2
Risk to College from Disclosure	Moderate
Definition	The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on the College's mission, safety, finances, or reputation. Protection of data may be required by law/regulation or contract. Includes College Data not identified as Category 3 data and protected by state and federal laws and regulations. This includesFERPA-protected student records and records that are specificallyexempted from the disclosure requirements of New York State (NYS) FOIL. Data qualified to be released under the NYS FOIL is not, by definition, exempt from classification as Category 2. Data in this category must be protected to ensure that it is not inadvertently or unnecessarily disclosed.
Examples	Small sets of education and employee records (under 1,000 records) Personal information of employees and affiliates (salary, personnel files, disciplinary actions, home address) Law enforcement investigation data, judicial proceedings data includes student disciplinary or judicial action information Public safety information IT infrastructure data Collective bargaining negotiation data, contract negotiation data Trade secret data Protected data related to research College intellectual property College proprietary data Data protected by external non-disclosure agreements Inter- or intra-agency data which are not: statistical or factual tabulations, instructions to staff that affect the public, final agency policy or determination Audit data Licensed software Non-public intellectual property Documents protected by attorney-client privilege

Data Risk Classification Category	Category 1
Risk to College from Disclosure	Low
Definition	Includes College Data not included in Category 3 or Category 2 and data that are intended for public disclosure. The loss of confidentiality of this data or the systems containing it would have insignificant impact on the College's mission, safety, finances, or reputation. This category includes general access data, such as that available on unauthenticated portions of the College's website. Public data have no requirements for confidentiality; however, systems housing the data should take reasonable measures to protect its integrity and availability.
Examples	General access data, such as that on unauthenticated portions of the institution's website Select HR directory information (name, department, position title, campus address) Statistical information released to federal, state, or other agencies for public disclosure

IV. DEFINITIONS

Data Users:Employees or agents of the College who access enterprise data in performance of their assigned duties.

Data Custodians:College officials and their staff who have operational-level responsibility for the capture, maintenance, dissemination, and storage of enterprise data.

Data Stewards:College administrators whose areas have responsibility for managing a segment of the College’s enterprise data resources.

Institutional Data: Information collected or created through a function of the university.

Incidental Personal Use: Limited, non-business use of employer-provided technology resources—such as computers, email systems, and internet access—by employees, if that use: 1) Does not interfere with work duties or the performance of job responsibilities. 2) Does not incur additional costs to the employer or require significant use of resources. 3) Does not violate policies, laws, or regulations, especially those related to data security and confidentiality. 4) Is occasional and reasonable, not habitual or excessive.

Information Technology Resources: Refers to the College’s information assets (i.e. hardware, software, or data) used by employees, students, and affiliates for college business.

Affiliated Individuals and Organizations:External organizations, and their employees and volunteers, whose activities significantly assist SUNY Canton in advancing and achieving its strategic goals. Examples include, but are not limited to, College Association, the College Foundation, the Research Foundation of New York, and the Cornell Cooperative Extension and its partners.

V. OTHER RELATED INFORMATION

• SUNY Policy 6900
• SUNY Policy 9500
• NYS Breach Notification Law

VI. PROCEDURES

None

VII. FORMS

None

VIII. AUTHORITY

NYS and SUNY Mandated Policy, Regulatory Compliance

IX. APPENDICES

Appendix A: Data Classification Roles and Responsibilities

X. FREQUENCY OF REVIEW AND UPDATE

Policies will have a normal review period of every three (3) years unless required otherwise


Top