Skip to content Skip to navigation
Vassar
Skip to global navigation Menu

Top

1.0 Background

All members of the Vassar College community possess information that must be protected from intentional or unintentional exposure.

Most data collected, processed, and stored by the College, is considered proprietary to Vassar and is not to be released or shared other than with authorized persons and for authorized purposes. The personal data of individuals associated with the College is used only for required business purposes and is the property of the individual to which it pertains. Some data is also protected under Federal, State, or other statutes or because of contractual terms and cannot be shared except as authorized under the appropriate restrictions.

2.0 Purpose

The purpose of this policy is to define the data classification requirements for information assets in order to ensure that data is secured and handled according to its sensitivity and impact that theft, corruption, loss or exposure would have on the institution.

3.0 Scope

The scope of this policy includes all information assets governed by Vassar College. All members of the community and all third parties who have access to or utilize information assets to collect, process, and/or transmit information for or on behalf of Vassar College are subject to these requirements.

4.0 Policy

Vassar College has established the requirements enumerated below regarding the classification of data to protect the institution’s information.

4.1 Data Governance

Data Stewards are identified as the individuals, roles, or committees primarily responsible for information assets. These individuals are responsible for:

  • Identifying the institution’s information assets under their areas of supervision; and
  • Maintaining an accurate and complete inventory for data classification and handling purposes.

Data Stewards are responsible for recommending the appropriate Data Classification for their information assets.  Data Trustees are responsible for approving recommendations. 

Re-classification of any information asset should be performed whenever the asset is significantly modified. Additionally, Data Stewards are responsible for reporting deficiencies in security controls to management.  

Data Classification levels and handling procedures may be superseded by external requirements governed by contract, legal obligations, or sponsors. Data Trustees have decision making authority for re-classifying information based on external obligations.

Refer to the Vassar College Data Governance Plan for additional information.

4.2 Data Classification

Information that is collected, processed, or stored by the College is classified into the four categories defined below:

  • RESTRICTED - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial or reputational harm, including civil or criminal penalties to the institution, institution employees, or the people the College serves is considered Restricted information and would require breach notification and/or other institutional action based on State Law, Federal Law, or contractual obligations. The collection, processing, and storing of Restricted information is done with permission from the person or group that manages it, represented by the appropriate Data Steward. The methods, occasions, and targets of handling such data are subject to the strictest constraints, some of which are dictated by law, and may require additional approvals as guided by the College Data Governance Plan.
  • CONFIDENTIAL - Information whose loss, corruption, or unauthorized disclosure would cause moderate personal, financial or reputational harm to the institution, institution employees, or the people we serve is considered Confidential. Confidential information should not be discussed or disclosed to others. The collection, processing, and storing of Confidential information is done with permission from the person or group that manages it, represented by the appropriate Data Steward.
  • INTERNAL – Information whose loss, corruption, or unauthorized disclosure would cause limited personal, financial or reputational harm to the institution, institution employees, or the people we serve is considered Internal. Internal information should not be disclosed outside of the College without the permission of the person or group that created it, represented by the appropriate Data Steward.
  • PUBLIC – Information whose loss, corruption, or unauthorized disclosure would cause no personal, financial or reputational harm to the institution, institution employees, or the people we serve is considered Public information. This information may be disclosed to any person, whether or not the person is affiliated with the college. This classification includes not only data that is of public interest or intended to be distributed to the public; but also data that do not require any level of protection from disclosure.

4.3 Data Handling

Information assets shall be handled according to their prescribed classification. The specific methods will be described in the Data Classification and Handling Procedure.

4.4 Data Reclassification

A re-evaluation of classified data assets will be performed at least once per year by the Data Stewards with approval from the appropriate Data Trustee.

4.5 Classification Inheritance

Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

5.0 Exceptions

Exceptions to the policy must be requested in writing to the Chief Information Officer and either the Vice President for Finance or Dean of Faculty for consideration.

6.0 References

  • Federal Information Processing Standard Publication 199 (FIPS-199) 
  • NIST Special Publication 800-53 r4
  • EU General Data Protection Regulation (GDPR)
  • Family Educational Rights and Privacy Act (FERPA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • NYS Stop Hacks and Improve Electronic Data Security (SHIELD) Act
  • California Consumer Privacy Act (CCPA)
  • Federal Information Security Management Act (FISMA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Information Security Policy 
  • Data Governance Plan
  • Information Assets Data Classification Table - UNDER DEVELOPMENT
  • Data Classification and Handling Procedure - UNDER DEVELOPMENT

8.0 Responsible Department and Persons

Responsible Department:  Computing and Information Services

Person(s) responsible for developing, changing, and communicating this policy:  Information Security Officer, Chief Information Officer, and Vassar College’s Senior Officers

Person(s) responsible for implementing and enforcing this policy: Chief Information Officer and Information Security Officer

9.0 Policy Authority

This policy is issued by Vassar College under the authority of the Chief Information Officer and Information Security Officer.

Publication date: November 6, 2020

Effective date: July 1, 2021