Approved by Data Management Committee: 29 May 2015
Approved by Information Technology Steering Committee: 30 July 2015
The purpose of these guidelines is to establish a framework for classifying institutional data based on its level of sensitivity, value, and criticality to the University. Classification of data will aid in determining baseline security controls for the protection of data.
These guidelines apply to all Northern Illinois University (NIU) faculty, staff and third-party agents of the University, as well as other University affiliates, authorized to access Institutional Data to include paper documents or any form of media or digitally based data. In particular, these guidelines apply to Data Stewards, who are responsible for classifying and protecting Institutional Data.
It is the practice and intent of NIU to protect the confidentiality, integrity, and availability of Institutional Data. This protection includes the activities to classify institutional data and apply business processes and enterprise architecture standards to ensure the confidentiality, integrity, and availability of Institutional Data while maintaining suitable utility and access for university purposes.
Data classification also reflects the level of impact to the University if confidentiality, integrity or availability is compromised. If an appropriate data classification is not inherently obvious, the Federal Information Processing Standards (FIPS) publication 199 published by the National Institute of Standards and Technology shall be applied. (see Appendix A for a sample classification schema).
Finally, it is the practice and intent of NIU to systematically and regularly review the classification of Institutional Data and validate related processes, policies, and standards applied to Institutional Data.
On a periodic basis, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. This evaluation should be conducted by the appropriate Data Steward. Conducting an evaluation on an annual basis is encouraged; however, the University’s Data Management Committee (DMC) should determine what frequency is most appropriate based on available resources. If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.
Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used.
Risk Level: Low | Risk Level: Medium | Risk Level: High | |
---|---|---|---|
Confidentiality | The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Integrity | The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Availability | The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
As designated by the President, the Chief Information Officer, or designee, has primary responsibility for the interpretation and enforcement of these guidelines.
All forms and instances of data are required to be classified by the Data Steward in accordance with University guidelines and policies. All faculty, staff, and third-party agents are responsible to be aware of the data classification for which they have access or oversight and to apply appropriate and pre-determined safeguards. As the total potential impact to the University increases from low to high, the classification of data should become more restrictive moving from Public to Restricted. If an appropriate classification is still unclear after considering these points, contact the Information Security Office for assistance.
Data Stewards shall apply the principles of confidentiality, integrity, and availability to the data classification process.
Authentication Verifier
An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:
Covered Financial Information
Refer to the University’s Gramm-Leach-Bliley policy and procedure.
Electronic Protected Health Information ("ePHI")
EPHI is defined as any Protected Health Information ("PHI") that is stored in or transmitted by electronic media. For the purpose of this definition, electronic media includes computer hard drives and any removable and/or transportable digital memory media, such as magnetic tape or disk, optical disk, or digital memory card.
Transmission media used to exchange information already in electronic storage media. Transmission media includes, for example, the Internet, an extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks and the physical movement of removable and/or transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission.
Export Controlled Materials
Export Controlled Materials is defined as any information or materials that are subject to United States export control regulations including, but not limited to, the Export Administration Regulations (“EAR”) published by the U.S. Department of Commerce and the International Traffic in Arms Regulations (“ITAR”) published by the U.S. Department of State. See NIU's information on Export Control.
Federal Tax Information ("FTI")
FTI is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services. See Internal Revenue Service Publication 1075 Exhibit 2 for more information.
Payment Card Information
Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
Personally Identifiable Education Records
Personally Identifiable Education Records are described in the Family Educational Rights and Privacy Act (FERPA) of 1974 (20 USC §1232g) and are defined as any Education Records that contain one or more of the following personal identifiers:
Student directory information is specifically considered public data unless the NIU student has requested suppression of this data from public view.
Personally Identifiable Information
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
Protected Health Information ("PHI")
PHI is fully defined in the Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 160.103). In summary, PHI is defined as "individually identifiable health information" transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium by a Covered Component, as defined in the Northern Illinois University HIPAA Policy.
PHI includes “demographic information collected from an individual . . . created or received by a health care provider, health plan, employer . . . [that] relates to . . . health or condition of an individual; the provision of health care to an individual . . . that identifies the individual or [provides] a reasonable basis [for identification]. PHI does not include education records or treatment records covered by the Family Educational Rights and Privacy Act or employment records held by the University in its role as an employer.