Administrative Regulation Title: Information Classification
Regulation Number: 7.0.1
______________________________________________________________________
Purpose:
This Information Classification Administrative Regulation (this “Admin Reg”) establishes a framework for classifying and managing Institutional Data. Data is classified as public, confidential, and highly-sensitive based on applicable law, the sensitivity of the data, and how critical the data is to the College’s operations. This criteria aids in developing and implementing security controls, which are proportionate to the classification of the data, to ensure confidentiality, integrity, and availability of data are maintained. In the event of a security incident, data classification is a vital component in prioritization of remediation efforts and allocation of resources. Institutional Data is a vital asset to the College; therefore, proper data classification and management are essential to the mission and operation of the College.
Definitions:
Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.
Scope:
This Admin Reg applies to all persons or entities that have access to Institutional Data and to all Institutional Data collected, stored, or maintained by administrative, academic, or other units, Personnel, or agents of the College, regardless of its source, where it resides, or whether it is in digital or non-digital form (except as otherwise permitted or required by statute or contractual obligations).
Classification Levels:
All Institutional Data are classified into three categories: Public (Level 1), Confidential (Level 2), or Highly Sensitive (Level 3). The level of classification is determined by the impact to the individual and/or to the College if such data is compromised, whether by unauthorized disclosure, modification, or destruction of the data or loss of access to data or systems. Descriptions and examples related to each classification level are provided in the chart below.
Based upon how the data are classified, certain data management standards and security controls will need to be taken for the secure handling of such data. Director/Department Heads, under guidance of the Chief Information Officer, are responsible for determining which classification applies to specific data. If it is unclear which classification is appropriate, (Default level for data classification is Level 3.), then the highest classification of those being considered will apply. Derivative data shall have the same classification level as the data on which it is derived, unless the creator of the derivative data can show that the aggregated and anonymized derivative data presents a lower degree of risk in the event such data is made public.
| Criteria | Public (Level 1) | Confidential (Level 2) | Highly Sensitive (Level 3) |
|---|---|---|---|
| Level of Impact if Compromised | Low adverse effects on the College or individuals | Moderate adverse effects on the College or individuals | Serious adverse effects on the College or individuals |
| Data that Generally Fall into the Classification | Information that may or must be open to the public and is not restricted by local, state, national, or international regulations regarding use or disclosure | Information whose access must be guarded due to proprietary, ethical, or privacy considerations and that is not intended for public dissemination, but public dissemination, but whose disclosure is not restricted by law | Information protected by law, including, without limitation, the Family Educational Rights and Privacy Act (“FERPA”), Health Insurance Portability and Accountability Act (“HIPAA”), Gramm-Leach-Bliley Act (“GLBA”), Payment Card Industry Data Security Standard (“PCI DSS”), and Wyo. Stat. § 40-12-502(d)(iii) & (iv) |
| Potential Impacts of Loss of Confidentiality, Integrity, or Availability | • No or very limited degradation in or loss of mission capability – the College is able to perform its primary functions, but the effectiveness of the functions may be reduced • No or very minor damage to College assets • No direct financial damages or fines • Insignificant indirect financial damages • Insignificant harm or inconveniences to individuals • Possible negative impact on College’s reputation, generally dependent on the visibility of the loss of confidentiality, • Limited degradation in or loss of mission capability – the College is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced • Minor damage to College assets • Minor direct financial damages and/or fines • Minor indirect financial damages • Minor harm to individuals • Minor negative impact on the College’s reputation • Severe degradation in or loss of mission capability to an extent and duration that the College is not able to perform one or more of its primary functions • Major damage to College assets • Major direct financial damages and/or fines • Major indirect financial damages • Significant harm to individuals • Major negative impact on the College’s reputation integrity or availability | • Limited degradation in or loss of mission capability – the College is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced • Minor damage to College assets • Minor direct financial damages and/or fines • Minor indirect financial damages • Minor harm to individuals • Minor negative impact on the College’s reputation | • Severe degradation in or loss of mission capability to an extent and duration that the College is not able to perform one or more of its primary functions • Major damage to College assets • Major direct financial damages and/or fines • Major indirect financial damages • Significant harm to individuals • Major negative impact on the College’s reputation |
| Examples of Data | • Published “white pages” • Directory information • Maps • Departmental websites • Lists of email addresses • Academic course descriptions • Other information readily published and provided to the public at large | • Student grades maintained by an instructor • Class lists • Lists of students in a major in a department • Internal memos • Financial records • Email communications • Other documents not intended for public distribution that are not otherwise Level 3 data | • Credit card numbers • Social security numbers • Driver’s license numbers • Health records • Student transcripts • Financial aid data • Human subject research data that identify an individual • Credentials used as passwords, passphrases, or fingerprints and the data stored to allow self- service reset of thecredentials |
| Criteria | Public (Level 1) | Confidential (Level 2) | Highly Sensitive (Level 3) |
|---|---|---|---|
| Level of Impact if Compromised | Low adverse effects on the College or individuals | Moderate adverse effects on the College or individuals | Serious adverse effects on the College or individuals |
| Data that Generally Fall into the Classification | Information that may or must be open to the public and is not restricted by local, state, national, or international regulations regarding use or disclosure | Information whose access must be guarded due to proprietary, ethical, or privacy considerations and that is not intended for public dissemination, but public dissemination, but whose disclosure is not restricted by law | Information protected by law, including, without limitation, the Family Educational Rights and Privacy Act (“FERPA”), Health Insurance Portability and Accountability Act (“HIPAA”), Gramm-Leach-Bliley Act (“GLBA”), Payment Card Industry Data Security Standard (“PCI DSS”), and Wyo. Stat. § 40-12-502(d)(iii) & (iv) |
| Potential Impacts of Loss of Confidentiality, Integrity, or Availability | • No or very limited degradation in or loss of mission capability – the College is able to perform its primary functions, but the effectiveness of the functions may be reduced • No or very minor damage to College assets • No direct financial damages or fines • Insignificant indirect financial damages • Insignificant harm or inconveniences to individuals • Possible negative impact on College’s reputation, generally dependent on the visibility of the loss of confidentiality, • Limited degradation in or loss of mission capability – the College is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced • Minor damage to College assets • Minor direct financial damages and/or fines • Minor indirect financial damages • Minor harm to individuals • Minor negative impact on the College’s reputation • Severe degradation in or loss of mission capability to an extent and duration that the College is not able to perform one or more of its primary functions • Major damage to College assets • Major direct financial damages and/or fines • Major indirect financial damages • Significant harm to individuals • Major negative impact on the College’s reputation integrity or availability | • Limited degradation in or loss of mission capability – the College is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced • Minor damage to College assets • Minor direct financial damages and/or fines • Minor indirect financial damages • Minor harm to individuals • Minor negative impact on the College’s reputation | • Severe degradation in or loss of mission capability to an extent and duration that the College is not able to perform one or more of its primary functions • Major damage to College assets • Major direct financial damages and/or fines • Major indirect financial damages • Significant harm to individuals • Major negative impact on the College’s reputation |
| Examples of Data | • Published “white pages” • Directory information • Maps • Departmental websites • Lists of email addresses • Academic course descriptions • Other information readily published and provided to the public at large | • Student grades maintained by an instructor • Class lists • Lists of students in a major in a department • Internal memos • Financial records • Email communications • Other documents not intended for public distribution that are not otherwise Level 3 data | • Credit card numbers • Social security numbers • Driver’s license numbers • Health records • Student transcripts • Financial aid data • Human subject research data that identify an individual • Credentials used as passwords, passphrases, or fingerprints and the data stored to allow self- service reset of thecredentials |
Management and Security:
Data is managed based on its classification level. This Admin Reg, and those policies, regulations, and procedures referenced in the Information Security Policy, make up the College’s overall information security framework, which provides guidance on how Institutional Data is collected, handled, stored, and destroyed.
This Admin Reg will be reviewed and, if applicable, updated at least annually.
References:
Information Security Policy
Revision History:
Original Adoption Date: 1/29/24
Revision Date(s):
Date Reviewed, no change: