Page tree
Skip to end of metadata
Go to start of metadata


Find Policy by Category

Data Classification Policy

Policy Information

Issuing Office

Information Services

Affected Parties

Faculty, Staff

Policy Language

1.2 Scope

1.2.1 In Scope

This policy will define how data is classified by the owners of sensitive data. This policy applies to all university data and the systems which host and access that data regardless of the environment or media where the data resides. This includes data centers, personal computers, mobile devices, removable drives, optical storage, and even paper, and is inclusive of any university‐owned information regardless of type, location or storage medium. This policy also governs all manner of data communications including electronic, voice, print and written communications.

1.2.2 Out of Scope

This policy does not cover the handling and protection requirements of information. Also excluded are availability and integrity concerns, which are covered in the Liberty University Data Handling Policy.


2 Policy

2.1 Policy Statement

2.1.1 All information at Liberty University will be considered to be one of the data classifications provided below, whether formally or informally.

2.1.2 Data classification is based on the criticality of the loss of confidentiality, that is, the impact of exposure of data to unauthorized parties.

2.1.3 Data classification mandates from federal laws and regulations, the laws of all 50 states, contractual obligations, and industry best practices shall be considered when providing data classification.

2.1.4 Data should not be classified higher than is necessary. More highly classified data requires additional security protections, management, and cost.

Policy Rationale

The purpose of this policy is to identify a data classification schema, which will provide a framework for classifying LU's sensitive information. This policy is necessary because LU must maintain compliance with federal and state laws regarding data privacy and must meet the standards of private organizations established to protect an individual’s personal and financial information.

Definition of Glossary Terms

None specified

Procedural Information

Procedures

3.1 Data Classification Categories

3.1.1 Restricted

3.1.1.1 Restricted data is the most sensitive category of information. The consequences of the loss of confidentiality are grave.

3.1.1.2 Restricted data shall be maintained in accordance with the Liberty University Data Handling Policy (published separately) to provide sufficient protection at all times, whether in transit or at rest.

3.1.1.3 Examples include data such as Health Care Information (HCI) and credit card full stripe data. More detailed guidance shall be provided below.

3.1.2 Limited Access

3.1.2.1 Limited Access data is information intended for Liberty University employees and designated individuals only (such as contractors). The consequences of the loss of confidentiality are serious.

3.1.2.2 Limited Access data shall be maintained in accordance with the Liberty University Data Handling Policy.

3.1.2.3 Examples include FERPA‐protected data, Social Security Numbers (SSNs), proprietary information, and intellectual property. Additional guidance shall be provided below.

3.1.3 Internal Use

3.1.3.1 Internal Use data is information intended for internal use for Liberty Students, Faculty and Staff, but that may be subject to open records disclosure. The consequences of loss of confidentiality are minimal.

3.1.3.2 Internal Use data shall be maintained in accordance with the Liberty University Data Handling Policy.

3.1.3.3 Examples include general correspondence and e-mails, budget plans, FERPA directory information, internal Liberty event information, and so forth. Additional guidance shall be provided below.

3.1.4. Public

3.1.4.1 Public data is not sensitive and is generally available to anyone. The consequences of the loss of confidentiality are non‐existent.

3.1.4.2 Public data still requires controls for integrity and availability that shall be maintained in accordance with the Liberty University Data Handling Policy.

3.1.4.3 Examples include general university announcements, public policies, and University points of contact information. Additional guidance shall be provided below.

3.2.1 Data Ownership and Classification

3.2.1.1 The Data Owner is the person or department responsible for classifying the data as Public, Internal Use, Limited Access, or Restricted.

3.2.1.2 The Data Owner is usually the person or department that creates the data. For example:

3.2.1.2.1 The Human Resources Department would classify data generated by that department or data generated through Human Resources processes (e.g. job applications).

3.2.1.2.2 The Center for Curriculum Development would typically determine the classification for the course information and data developed for the University.

3.2.1.2.3 The CIO is accountable for designating personnel to classify data generated by Information Technology (IT).

3.2.1.3 Some data is classified regardless of data owner in compliance with federal or state laws or private organizations that protection of their data in use by Liberty University. For example:

3.2.1.3.1 Payment Card Industry (PCI) Data Security Standard (DSS) defines credit card information that must be protected, such as the Primary Account Number (PAN), full magnetic stripe data or equivalent

on a chip, the security code (CAV2, CVC2, CVV2, CID), and the owner’s PINs or PIN blocks. The PAN and sensitive PCI data is classified as Restricted.

3.2.1.3.2 Family Education Rights and Privacy Act (FERPA) defines Personally Identifiable Information (PII), which is classified as Limited Access; and directory information, which is classified as Public. Note that a student may opt out of publishing his or her information as directory information, in which case their data would remain Limited Access.

3.2.1.3.3 Massachusetts Social Security Number Privacy Act 454 of 2004 requirements necessitates classifying Social Security Numbers (SSNs) as Limited Access information.

3.2.1 Mandatory Data Classifications

3.2.2.1 Passwords to access Liberty University network accounts and associated resources are classified as Restricted.

3.2.2.2 Secure configuration files and data sets for Information Technology (IT) servers, routers, and other networking equipment are Limited Access.

3.2.2.3 Security Audit Logs for IT servers, routers, and other networking equipment are Limited Access.

3.2.2.4 Third‐party proprietary data shall be classified as Limited Access.

3.2.2.5 Health Insurance Portability & Accountability Act (HIPAA) defined data is classified as Restricted.

3.2.2.6 Payment Card Industry Data Security Standard (PCI DSS) Primary Account Number (PAN) and sensitive data is classified as Restricted.

3.2.2.7 The following student information is governed as Student Record Data and is classified as Limited Access in accordance with FERPA guidelines:

3.2.2.7.1 Liberty University ID#

3.2.2.7.2 Social Security Number

3.2.2.7.3 Gender

3.2.2.7.4 Nationality / Ethnicity

3.2.2.7.5 Parent/Guardian Address/Phone

3.2.2.7.6 Emergency Contact Information

3.2.2.7.7 Individual Class Schedule and Locations

3.2.2.7.8 Financial Aid Information

3.2.2.7.9 Grades/Exam Scores

3.2.2.7.10 Grade Point Average

3.2.2.7.11 Credits

3.2.2.7.12 Library Transactions

3.2.2.8 The following student information is declared as Directory Information in accordance with http://www.liberty.edu/academics/registrar/index.cfm?PID=14819. Directory Information is classified as Internal Use. Directory information may be classified as Limited Access in cases where a student has requested non‐disclosure.

3.2.2.8.1 Full Name

3.2.2.8.2 Address – including e‐mail address

3.2.2.8.3 Telephone Numbers

3.2.2.8.4 Date and Place of Birth

3.2.2.8.5 Program of Study/Campus

3.2.2.8.6 Dates of Attendance

3.2.2.8.7 Photograph

3.2.2.8.8 Height and Weight of Student Athletes

3.2.2.8.9 Participation in Officially Recognized Activities and Sports

3.2.2.8.10 Degrees and Awards Received

3.2.2.8.11 Most Recent Previous Education Institution or Agency Attended

3.2.2.8.12 Current Enrollment Status

3.2.2.9 Human Resources (HR) protected employee information is classified as follows:

3.2.2.9.1 Full Name: Public

3.2.2.9.2 Liberty ID#: Limited Access

3.2.2.9.3 Social Security Number/Taxpayer ID: Limited Access

3.2.2.9.4 Date of Birth: Limited Access

3.2.2.9.5 Home Address: Limited Access

3.2.2.9.6 Home Phone Number: Limited Access

3.2.2.9.7 Health Information: Restricted

3.2.2.9.8 Work Phone Number / FAX Number: Public

3.2.2.9.9 Liberty Email‐Address: Internal Use

3.2.2.9.10 Performance Reviews & Evaluations: Limited Access

3.2.2.9.11 Gender: Public

3.2.2.9.12 Race / Ethnicity: Internal Use

Sanctions

There are no penalties for non‐compliance to document classification, though there are consequences for willful improper handling of Restricted, Limited Access, and Internal Use information, as specified in the Acceptable Use Policy (IS020121).

Exceptions

None