Franklin & Marshall College Franklin & Marshall College

Data Classifications

 Working with departments across campus last year, ITS established a database of over 150 discrete types of data and, based on industry-standards, have established a mechanism to provide appropriate protection of all critical data.  ITS will work with departments over the coming months to classify their data and recommend remediation measures to mitigate the potential risk of any sensitive or confidential data being compromised. One of the methods will be to introduce ways to encrpyt all confidential data on users computers.

Classification Categories

F&M information in any format (e.g., hard copy, disk, tape) must be protected by all users at the level commensurate with its value as determined by its information classification. These standards mitigate the risk that information of different classification levels be inadvertently combined and released. In order to properly protect information assets all information must be classified into one of the following three categories:

  • Public
  • Sensitive
  • Confidential

By classifying data, departments can determine the appropriate resources needed to protect the information. The objective is to dedicate greater resources to the information that needs the greatest amount of protection while minimizing the impact on daily tasks. Current data classification descriptions are:

Public/Directory
  • Information that may or must be open to the general public. It is defined as information with no existing local, national of international legal restrictions on access or usage.
Sensitive/Internal Use
  • Information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. The classification applies even though there may not be a civil statue requiring this protection. Information that is restricted to members of the F&M community who have a legitimate purpose for accessing such data.
Confidential/Highly Restrictive
  •  Information protected by statues, regulations, College policies or contractual language.

Classification Change Management

Information cannot be downgraded to a lower or less restricted classification without undergoing a formal declassification effort sponsored by the Information Owner. The Information Owner must determine if any information can be moved to a lower classification based upon the definitions of the classifications. Alternatively, Information Owners must determine if an information asset's classification should be raised based upon the definitions.

Information Labeling

Best practice suggests that all media should be labeled with its information classification (i.e., public, sensitive, confidential). Electronic documents should have the classification label in the header and footer of each page. Hard copy documents should be stamped with the classification or a physical label must be applied. All confidential data should be marked at the top and bottom of every page with the classification of the information contained in the document. All hardcopy confidential documents should have a cover page identifying the classification of the information. ITS will work with departments across the College to ensure that information is assigned to the proper classification and labeled in a timely manner.