OM 9.1.3 - Data Classification Policy

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

1 Purpose

The purpose of this policy is to deﬁne the data classiﬁcation requirements for information assets and to ensure that data is secured and handled according to its sensitivity and impact that theft, corruption, loss or exposure would have on the organization. This policy has been developed to assist Clarkson University and provide direction to the organization regarding identiﬁcation, classiﬁcation and handling of information assets.

2 Scope

The scope of this policy includes all information assets governed by Clarkson University. All personnel and third parties who have access to or utilize information assets to process, store and/or transmit information for or on behalf of Clarkson University shall be subject to these requirements.

3 Policy

Clarkson University has established the requirements enumerated below regarding the classiﬁcation of data to protect the University's information.

3.1 Data Ownership and Accountability

Data owners are identiﬁed as the individuals, roles, or committees primarily responsible for information assets. These individuals are responsible and accountable for:

Identifying the University's information assets under their areas of
Maintaining an accurate and complete inventory for data classiﬁcation and handling
Applying data classiﬁcation to new systems as they’re integrated into the Clarkson University network.
Re-classiﬁcation of an information asset whenever the asset is signiﬁcantly modiﬁed.
Safeguarding information and working with Data Custodians to ensure appropriate access is established and removed as
Reporting deﬁciencies in security controls to

3.2 Data Classiﬁcation

Classiﬁcation of data will be performed by the data asset owner based on the speciﬁc, ﬁnite criteria. Refer to the Data Classiﬁcation and Handling Procedure to determine how data should be classiﬁed. Data classiﬁcations will be deﬁned as follows:

RESTRICTED - Information whose loss, corruption, or unauthorized disclosure would cause severe

personal, operational, ﬁnancial or reputational harm to the organization, organization staﬀ or the

students or other constituents we serve. Impacts for unauthorized access or changes to Restricted information could result in identity or ﬁnancial fraud, extreme revenue loss, or the unavailability of extremely critical systems or services and may require Federal or state breach notiﬁcation. Common examples include, but are not limited to, social security number, Protected Health Information (PHI), payment card information, and Personally Identiﬁable Information (PII), student records and some types of unpublished research data.

PRIVATE – Information whose loss, corruption, or unauthorized disclosure would likely cause limited personal, operational, ﬁnancial or reputational harm to the organization, organization staﬀ or the students or other constituents we serve. Impacts for unauthorized access or modiﬁcation to Private information could result in identity theft and minor revenue loss would occur, and the availability of critical systems would not be aﬀected. Common examples include, but are not limited to, vendor contracts, day-to-day business communications, unpublished research data, engineering, design and operational data regarding the University and University ﬁnancial
PUBLIC – Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, ﬁnancial or reputational harm to the organization, organization staﬀ or the students and other constituents we serve. Common examples include, but are not limited to marketing campaigns, promotional information, and news

3.3 Directory Information

Student Directory Information is deﬁned in the Family Educational Rights and Privacy Act of 1974 (FERPA). This information is classiﬁed as PUBLIC unless the student has ﬁled a Request to Prevent Disclosure of Directory Information form with the University's Registrar's Oﬃce. In this case, the speciﬁed Directory information shall be classiﬁed as Restricted .

Employee Directory Information as listed below shall be classiﬁed as PUBLIC

Name
Current position title
Campus Telephone Number
Campus Email address
Department of assignment
Oﬃce location
Campus Mailbox

3.4 Data Handling

Information assets shall be handled according to their prescribed classiﬁcation, including access controls, labeling, retention policies and destruction methods. The speciﬁc methods must be described in the Data Classiﬁcation Procedure.

3.5 Reclassiﬁcation

A reevaluation of classiﬁed data assets will be performed at least once per year by the responsible data owners. Reclassiﬁcation of data assets should be considered whenever the data asset is modiﬁed, retired or destroyed.

3.6 Classiﬁcation Inheritance

Logical or physical assets that “contain” a data asset may inherit classiﬁcation from the data asset(s) contained therein. In these cases, the inherited classiﬁcation shall be the highest classiﬁcation of all contained data assets.

4 Enforcement

Users who violate this policy may be denied access to the University's resources and may be subject to penalties and disciplinary action both within and outside of the organization. The organization may temporarily suspend or block access to an account prior to the initiation or completion of such procedures, when it appears reasonably necessary to do so in order to protect the integrity, security or functionality of the organization or other computing resources or to protect the organization from liability.

5 Exceptions

Exceptions to this policy must be approved in advance by the Chief Information Oﬃcer, at the request of the responsible data asset owner. The approved exceptions must be reviewed and reapproved by the asset owner annually.

6 References

Federal Information Processing Standard Publication 199 (FIPS-199)
NIST Special Publication 800-53 r4

Acceptable Use Policy
Information Security Policy
Data Classiﬁcation and Handling Procedure

8 Responsible Department

Oﬃce of Information Technology

9 Policy Authority

This policy is issued by the Chief Information Oﬃcer and approved by the University President for Clarkson University.

10 Revision History

Version	Date	Author	Revisions
1	1/27/2023	B. Huntley	Initial Draft - Data Classiﬁcation Policy
2	4/24/2023	L. Perry	Presidential Approval

OM 1.0.0 - History and Mission

OM 1.1.0 History

OM 1.2.0 Mission and Objectives

OM 2.00.0

OM 2.1.0 - Board of Trustees

OM 2.3.0 - Duties and Responsibilities of Provost, Vice Presidents, Deans and Other Officers of the University

OM 2.4.0 Duties and Responsibilities of Academic Department Chairs

OM 2.4.1 Appointment and Tenure of Department Chairs and Academic Program Directors Policy Statement

OM 2.5.0 Periods of Duty - Administrative Offices

OM 2.6.0 Clarkson University Policies Governing Organized Activity Units

OM 2.6.1 Duties and Responsibilities of Directors of Institutes and Centers

OM 2.6.2 Appointment and Tenure of Directors

OM 2.6.3 Director of Organized Activity Unit - Additional Operational/Management Guidance

OM 2.7.0 Operational Procedures for the Administrative Council

OM 2.8.0 Faculty Senate Constitution

OM 2.9.0 Paperflow for Senate and Administrative Council Actions

OM 2.10.0 Committees of the University

OM 2.10.1 Committees of the Faculty Senate

OM 2.10.2 Standing Administrative Committees

OM 2.10.3 University Committee Procedures

OM 2.11.0 Support Staff Policies and Procedures

OM 2.12.0 Professional and Supervisory Staff Policies and Procedures

OM 3.0.0 - Human Resources Policies

OM 3.1.0 Human Resources Policies - General

OM 3.1.1 Definition of Employee Groups

OM 3.1.2 Exempt and Non-Exempt Employee Categories

OM 3.1.3 - Affirmative Action and Equal Employment Opportunity Statement

OM 3.1.4 - Employment of Family Members at Clarkson

OM 3.1.5 - Harassment and Sexual Misconduct Policy

OM 3.1.6 - Employment of Minors

OM 3.1.7 Drug Abuse in the Workplace

OM 3.1.8 Orientation

OM 3.1.9 Change in Status

OM 3.1.10 Smoking Policy

OM 3.1.11 Nondiscrimination Policy

OM 3.1.12 Cultural Diversity Policy

OM 3.1.13 General Grievance Procedures

OM 3.1.14 Discrimination Grievance Procedure (Including Cases of Sexual Misconduct)

OM 3.1.15 Anti-Bullying Policy

OM 3.1.16 Clarkson University Exit Policy

OM 3.1.17 Recruitment and Selection Process

OM 3.1.18 Termination/Resignation Policy

OM 3.1.19 Flexible Work Schedule (flextime) and Working Remotely

OM 3.1.20 Background Check Policy

OM 3.1.21 No Contact Order Policy

OM 3.2.0 Human Resources Policies - Faculty

OM 3.2.1 Retirement Benefits

OM 3.3.0 Human Resources Policies - Administrative, Supervisory, and General Staff

OM 3.3.1 Job Posting

OM 3.3.2 Position Classification Procedures

OM 3.3.3 Disciplinary Procedure

OM 3.3.4 Termination of Employment

OM 3.3.5 Retirement Benefits

OM 3.4.0 Human Resources Policies - Employment and Working Conditions - General Staff

OM 3.4.1 The Four Types of Appointments

OM 3.4.2 Employment - Appointment of General Staff Personnel

OM 3.4.3 Probationary Period - General Staff (Non-Bargaining)

OM 3.4.4 Working Hours - General Staff

OM 3.4.5 Rest Periods - General Staff

OM 3.4.6 Promotions and Transfers - General Staff

OM 4.0.0 - Compensation Policies

OM 4.1.0 Compensation Policies - General

OM 4.1.1 Supplemental Compensation Procedures - Faculty

OM 4.2.0 Compensation Policies - Faculty

OM 4.2.1 Salary Plan

OM 4.2.2 Salary Continuance - Faculty

OM 4.3.0 Compensation Policies - Administrative, Supervisory, and General Staff

OM 4.3.1 Wage and Salary Administration

OM 4.3.2 Salary Plan - Administrative and Supervisory Staff

OM 4.3.3 Pay Periods and Payroll Deductions - General Staff

OM 4.3.4 Overtime Policy for Non-Exempt Employees

OM 4.3.5 Supplemental Compensation Procedures - Exempt Non-Faculty

OM 4.3.6 Policy on Compensation for Travel Time - Non-Exempt Employees

OM 5.0.0 - Faculty Definitions and Policies

OM 5.1.0 Titles, Status and Definitions

OM 5.2.0 Duties of a Faculty Member

OM 5.3.0 Standards for Faculty Evaluations

OM 5.4.0 Procedures and Documentation for the Appointment, Reappointment and Continuing Evaluation of Faculty

OM 5.5.0 Evaluation Procedures for Tenure - The Tenure Policy

OM 5.6.0 Evaluation Procedures for Promotion