Working with departments across campus last year, ITS established a database of over 150 discrete types of data and, based on industry-standards, have established a mechanism to provide appropriate protection of all critical data. ITS will work with departments over the coming months to classify their data and recommend remediation measures to mitigate the potential risk of any sensitive or confidential data being compromised. One of the methods will be to introduce ways to encrpyt all confidential data on users computers.
F&M information in any format (e.g., hard copy, disk, tape) must be protected by all users at the level commensurate with its value as determined by its information classification. These standards mitigate the risk that information of different classification levels be inadvertently combined and released. In order to properly protect information assets all information must be classified into one of the following three categories:
By classifying data, departments can determine the appropriate resources needed to protect the information. The objective is to dedicate greater resources to the information that needs the greatest amount of protection while minimizing the impact on daily tasks. Current data classification descriptions are:
Information cannot be downgraded to a lower or less restricted classification without undergoing a formal declassification effort sponsored by the Information Owner. The Information Owner must determine if any information can be moved to a lower classification based upon the definitions of the classifications. Alternatively, Information Owners must determine if an information asset's classification should be raised based upon the definitions.
Best practice suggests that all media should be labeled with its information classification (i.e., public, sensitive, confidential). Electronic documents should have the classification label in the header and footer of each page. Hard copy documents should be stamped with the classification or a physical label must be applied. All confidential data should be marked at the top and bottom of every page with the classification of the information contained in the document. All hardcopy confidential documents should have a cover page identifying the classification of the information. ITS will work with departments across the College to ensure that information is assigned to the proper classification and labeled in a timely manner.