All members of the Vassar College community possess information that must be protected from intentional or unintentional exposure.
Most data collected, processed, and stored by the College, is considered proprietary to Vassar and is not to be released or shared other than with authorized persons and for authorized purposes. The personal data of individuals associated with the College is used only for required business purposes and is the property of the individual to which it pertains. Some data is also protected under Federal, State, or other statutes or because of contractual terms and cannot be shared except as authorized under the appropriate restrictions.
The purpose of this policy is to define the data classification requirements for information assets in order to ensure that data is secured and handled according to its sensitivity and impact that theft, corruption, loss or exposure would have on the institution.
The scope of this policy includes all information assets governed by Vassar College. All members of the community and all third parties who have access to or utilize information assets to collect, process, and/or transmit information for or on behalf of Vassar College are subject to these requirements.
Vassar College has established the requirements enumerated below regarding the classification of data to protect the institution’s information.
4.1 Data Governance
Data Stewards are identified as the individuals, roles, or committees primarily responsible for information assets. These individuals are responsible for:
- Identifying the institution’s information assets under their areas of supervision; and
- Maintaining an accurate and complete inventory for data classification and handling purposes.
Data Stewards are responsible for recommending the appropriate Data Classification for their information assets. Data Trustees are responsible for approving recommendations.
Re-classification of any information asset should be performed whenever the asset is significantly modified. Additionally, Data Stewards are responsible for reporting deficiencies in security controls to management.
Data Classification levels and handling procedures may be superseded by external requirements governed by contract, legal obligations, or sponsors. Data Trustees have decision making authority for re-classifying information based on external obligations.
Refer to the Vassar College Data Governance Plan for additional information.
4.2 Data Classification
Information that is collected, processed, or stored by the College is classified into the four categories defined below:
- RESTRICTED - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial or reputational harm, including civil or criminal penalties to the institution, institution employees, or the people the College serves is considered Restricted information and would require breach notification and/or other institutional action based on State Law, Federal Law, or contractual obligations. The collection, processing, and storing of Restricted information is done with permission from the person or group that manages it, represented by the appropriate Data Steward. The methods, occasions, and targets of handling such data are subject to the strictest constraints, some of which are dictated by law, and may require additional approvals as guided by the College Data Governance Plan.
- CONFIDENTIAL - Information whose loss, corruption, or unauthorized disclosure would cause moderate personal, financial or reputational harm to the institution, institution employees, or the people we serve is considered Confidential. Confidential information should not be discussed or disclosed to others. The collection, processing, and storing of Confidential information is done with permission from the person or group that manages it, represented by the appropriate Data Steward.
- INTERNAL – Information whose loss, corruption, or unauthorized disclosure would cause limited personal, financial or reputational harm to the institution, institution employees, or the people we serve is considered Internal. Internal information should not be disclosed outside of the College without the permission of the person or group that created it, represented by the appropriate Data Steward.
- PUBLIC – Information whose loss, corruption, or unauthorized disclosure would cause no personal, financial or reputational harm to the institution, institution employees, or the people we serve is considered Public information. This information may be disclosed to any person, whether or not the person is affiliated with the college. This classification includes not only data that is of public interest or intended to be distributed to the public; but also data that do not require any level of protection from disclosure.
4.3 Data Handling
Information assets shall be handled according to their prescribed classification. The specific methods will be described in the Data Classification and Handling Procedure.
4.4 Data Reclassification
A re-evaluation of classified data assets will be performed at least once per year by the Data Stewards with approval from the appropriate Data Trustee.
4.5 Classification Inheritance
Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.
Exceptions to the policy must be requested in writing to the Chief Information Officer and either the Vice President for Finance or Dean of Faculty for consideration.
- Federal Information Processing Standard Publication 199 (FIPS-199)
- NIST Special Publication 800-53 r4
- EU General Data Protection Regulation (GDPR)
- Family Educational Rights and Privacy Act (FERPA)
- Payment Card Industry Data Security Standard (PCI DSS)
- NYS Stop Hacks and Improve Electronic Data Security (SHIELD) Act
- California Consumer Privacy Act (CCPA)
- Federal Information Security Management Act (FISMA)
- Health Insurance Portability and Accountability Act (HIPAA)
7.0 Related Documents
- Information Security Policy
- Data Governance Plan
- Information Assets Data Classification Table - UNDER DEVELOPMENT
- Data Classification and Handling Procedure - UNDER DEVELOPMENT
8.0 Responsible Department and Persons
Responsible Department: Computing and Information Services
Person(s) responsible for developing, changing, and communicating this policy: Information Security Officer, Chief Information Officer, and Vassar College’s Senior Officers
Person(s) responsible for implementing and enforcing this policy: Chief Information Officer and Information Security Officer
9.0 Policy Authority
This policy is issued by Vassar College under the authority of the Chief Information Officer and Information Security Officer.
Publication date: November 6, 2020
Effective date: July 1, 2021