OM 9.1.3 - Data Classification Policy
| Effective Date: January 2023 | Policy Contact: Office of Information Technology | 
1 Purpose
The purpose of this policy is to define the data classification requirements for information assets and to ensure that data is secured and handled according to its sensitivity and impact that theft, corruption, loss or exposure would have on the organization. This policy has been developed to assist Clarkson University and provide direction to the organization regarding identification, classification and handling of information assets.
2 Scope
The scope of this policy includes all information assets governed by Clarkson University. All personnel and third parties who have access to or utilize information assets to process, store and/or transmit information for or on behalf of Clarkson University shall be subject to these requirements.
3 Policy
Clarkson University has established the requirements enumerated below regarding the classification of data to protect the University's information.
3.1 Data Ownership and Accountability
Data owners are identified as the individuals, roles, or committees primarily responsible for information assets. These individuals are responsible and accountable for:
- Identifying the University's information assets under their areas of
- Maintaining an accurate and complete inventory for data classification and handling
- Applying data classification to new systems as they’re integrated into the Clarkson University network.
- Re-classification of an information asset whenever the asset is significantly modified.
- Safeguarding information and working with Data Custodians to ensure appropriate access is established and removed as
- Reporting deficiencies in security controls to
3.2 Data Classification
Classification of data will be performed by the data asset owner based on the specific, finite criteria. Refer to the Data Classification and Handling Procedure to determine how data should be classified. Data classifications will be defined as follows:
- RESTRICTED - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, operational, financial or reputational harm to the organization, organization staff or the students or other constituents we serve. Impacts for unauthorized access or changes to Restricted information could result in identity or financial fraud, extreme revenue loss, or the unavailability of extremely critical systems or services and may require Federal or state breach notification. Common examples include, but are not limited to, social security number, Protected Health Information (PHI), payment card information, and Personally Identifiable Information (PII), student records and some types of unpublished research data.
- PRIVATE – Information whose loss, corruption, or unauthorized disclosure would likely cause limited personal, operational, financial or reputational harm to the organization, organization staff or the students or other constituents we serve. Impacts for unauthorized access or modification to Private information could result in identity theft and minor revenue loss would occur, and the availability of critical systems would not be affected. Common examples include, but are not limited to, vendor contracts, day-to-day business communications, unpublished research data, engineering, design and operational data regarding the University and University financial
- PUBLIC – Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial or reputational harm to the organization, organization staff or the students and other constituents we serve. Common examples include, but are not limited to marketing campaigns, promotional information, and news
3.3 Directory Information
Student Directory Information is defined in the Family Educational Rights and Privacy Act of 1974 (FERPA). This information is classified as PUBLIC unless the student has filed a Request to Prevent Disclosure of Directory Information form with the University's Registrar's Office. In this case, the specified Directory information shall be classified as Restricted .
Employee Directory Information as listed below shall be classified as PUBLIC
- Name
- Current position title
- Campus Telephone Number
- Campus Email address
- Department of assignment
- Office location
- Campus Mailbox
3.4 Data Handling
Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods must be described in the Data Classification Procedure.
3.5 Reclassification
A reevaluation of classified data assets will be performed at least once per year by the responsible data owners. Reclassification of data assets should be considered whenever the data asset is modified, retired or destroyed.
3.6 Classification Inheritance
Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.
4 Enforcement
Users who violate this policy may be denied access to the University's resources and may be subject to penalties and disciplinary action both within and outside of the organization. The organization may temporarily suspend or block access to an account prior to the initiation or completion of such procedures, when it appears reasonably necessary to do so in order to protect the integrity, security or functionality of the organization or other computing resources or to protect the organization from liability.
5 Exceptions
Exceptions to this policy must be approved in advance by the Chief Information Officer, at the request of the responsible data asset owner. The approved exceptions must be reviewed and reapproved by the asset owner annually.
6 References
- Federal Information Processing Standard Publication 199 (FIPS-199)
- NIST Special Publication 800-53 r4
7 Related Policies
- Acceptable Use Policy
- Information Security Policy
- Data Classification and Handling Procedure
8 Responsible Department
Office of Information Technology
9 Policy Authority
This policy is issued by the Chief Information Officer and approved by the University President for Clarkson University.
10 Revision History
