Information about http://net.educause.edu/ir/library/pdf/CSD5481.pdf
PimaCommunityCollege …
Tags: assessment criteria, classification standards, data classification, data processor, enterprise resource planning, enterprise resource planning systems, executive vice chancellor, finance data, functional units, human resources data, information and information systems, information technology infrastructure, national institute of standards and technology, payroll modules, pima community college, resource planning systems, responsible parties, security categories, trusteeship, vice chancellors,Pages: 3
Language: english
Created: Tue Aug 19 10:00:36 2008
Display cached document
Page 1
Page 2
Page 3
PimaCommunityCollege District Office, Information Security
Public
Data Classification Standards
Purpose: To protect the confidentiality, integrity, and availability of Pima Community College
data pursuant to Data Trusteeship (SPG-5702/AB) and Security of the Information Technology
Infrastructure (SPG-5702/AC) through the identification of information that requires protection.
Audience: All members of the Pima Community College community, including faculty, staff,
and students.
Sponsoring Unit: Vice Chancellor of IT, 2008.
I. Definitions
A. Responsible parties
Data Trustees: Per SPG-5702/AB: "The accuracy and completeness of the data within the
Enterprise Resource Planning systems are the responsibility of functional units of the
College. All student information and grants systems data are assigned to the Office of the
Provost. All finance data and payroll modules are assigned to the Office of the Executive
Vice Chancellor of Administration. All human resources data, except payroll, are assigned
to the Vice Chancellor of Human Resources.
Data Stewards: Deans, vice chancellors, assistant vice chancellors, directors, managers or
others as identified by the data trustees to manage a subset of data.
Data Processor: Any individuals who have been authorized by a data steward to create,
remove, or modify data.
B. College data types
The assessment criteria for the following classifications were derived from the National
Institute of Standards and Technology (NIST)1 in "NIST SP800-60: Guide for Mapping
Types of Information and Information Systems to Security Categories". These classifications
are intended for internal College use and are not intended to be determinative regarding any
request for documents made pursuant to Arizona's public records laws.
Public: This type of information can be communicated without restrictions, and is intended
for general public use. This data will not cause harm to any individual, group, or PCC if
made public.
Internal Use Only: Information that is intended for use only within the College:
This data may cause harm to an individual, group, or PCC if disclosed.
Requires protections according to PCC SPGs, standards, or contracts.
Confidential: Information that must be rigorously protected:
Requires protections according to law, specifically: (1) Family Educational Rights
and Privacy Act (FERPA); (2) Health Insurance Portability and Accountability Act
(HIPAA); (3) Payment Card Industry Data Security Standard (PCI DSS); (4)
Graham Leach Bliley Act (GLBA).
This data will likely cause significant harm to an individual, group, or PCC if
disclosed.
1
NIST provides standards on everything from weights and measures ("providing the basis for the fairness and efficiency
of sales totaling more than $5 trillion") to providing quality control procedures to US auto makers.
Page 1 of 3
PimaCommunityCollege District Office, Information Security
Public
II. Responsibilities
All College data must be clearly labeled, and starting in July of 2008, the absence of a label
will indicate "Internal Use Only".
1. Data Trustees:
Establish direction for the overall security and privacy of all College data, with
particular attention to confidential data
Identify and appoint data stewards
Ensure existing procedures are appropriate
Oversees data inventory database that includes: (a) classification level; (b) Data
Stewards; (c) and description of information
Consider any public records request for data classified as Internal Use Only or
Confidential to determine whether the documents are subject to disclosure under
Arizona Law.
2. Data Stewards:
Develop and maintain documented procedures regarding the protection of College
data.
Ensure the accuracy of data within their area
Annually review current access authorizations to ensure they are up to date and
accurate
Ensure authorized users of confidential data are properly trained
Protect confidential information with emphasis on (a) the privacy of personal
information; (b) protecting against anticipated threats; (c) guarding against
unauthorized access
Immediately report any breach of policy or data security to the Data Trustee
3. Data Processors (all employees, faculty, and students):
Ensure all data are accurate
Ensure appropriate confidentiality, integrity and availability procedures are being
followed
Immediately report any breach of policy or data security to the Data Steward
III. Examples
The examples below are provided for illustrative purposes only, and are not intended to be
comprehensive or supersede the best judgment of Data Stewards.
Public Data: Standard practice guides and policies; college plan; personal directory; maps;
course catalog, public web page, press releases, advertisements, schedules of classes.
Internal Use Only: Internal e-mails; meeting minutes; unit working & draft documents.
Confidential: Student or employee records; social security numbers; A numbers; grades;
employee performance reviews; personnel files; personally identifiable information;
Page 2 of 3
PimaCommunityCollege District Office, Information Security
Public
financial data (P-card numbers, account information, account numbers; bills); passwords,
security plans.
Considering that data of different classification types often occupy a shared space (whether
a document or database that contains both confidential and public information), the most
sensitive data in the collection is used to determine the overall classification.
Notwithstanding such overall classification, in the case of a public records request, all data
will be reviewed and disclosed to the extent required by Arizona Law.
IV. Public Records Requests
The standards set forth herein are for the College's internal purposes. Arizona law requires
the disclosure of all public records except those protected by a statutory or common law
exception.
Depending upon the records requested and the circumstances, "Internal Use Only"
documents may or may not be subject to disclosure pursuant to a public records request.
Upon receipt of a public records request seeking documents classified as Internal Use Only
or Confidential, the Data Trustee responsible for the data at issue, in consultation with the
Chancellor's office, will review the requested documents and determine whether such
documents are, in whole or in part, subject to disclosure. The College does not, by inclusion
of certain data or documents within the Internal Use Only or Confidential category, intend
to create in any individual an expectation of privacy where none would otherwise exist.
V. Enforcement
Any failure to follow this standard must be reported to the Vice Chancellor of IT and the IT
Information Security Officer for the purpose of remediation. Unauthorized disclosure of
internal use only data is a violation of this standard and may result in disciplinary action.
Unauthorized disclosure of confidential data may result in legal action in addition to
disciplinary action. The appropriate Data Trustee will be responsible for any necessary
disciplinary action or change in procedures.
Document Maintainers: Brian Basgen
Reviewers: Law firm (DeConcini McDonald Yetwin & Lacy), Chancellor's Cabinet,
Chancellor's Staff, IT Directors, ASWG.
Effective Date: 7/1/2008
Review Cycle: Annual
Reference: BP-3502 (permanent student records); BP-5702 (IT resource management)
Status: Final
Version: 1.0
Page 3 of 3