Handling Protected Data

Data Classification Standards

I.    INTRODUCTION

The information we store on our computers is essential to the business of managing the institution. The process of information classification seeks to assign a descriptive value to campus information.  That value is then used to implement practices and controls that will help to protect the information from unauthorized use, access, disclosure, modification, loss or deletion.

The California State University San Marcos (CSUSM) Information Classification and Protection Standard is derived from the CSU-wide Information Security Policy and Standards.  These were developed in compliance with Federal and State laws and regulations governing the privacy and confidentiality of information and provide guidance to the classification and protection of university information. 


II.    SCOPE

The CSUSM Information Classification and Protection Standard applies to:

  • All  information in written format that is collected, generated, and/or maintained by CSUSM and CSUSM auxiliary organizations except where superseded by grant, contract, or federal copyright law

    Written format  means any handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting of electronic mail or facsimile, and every other means of recording upon any tangible thing, and any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combinations thereof, and any record thereby created, regardless of the manner in which the record has been stored.


III.    Data Classification Standard

       A.    The California State University (CSU) has identified three classification levels that are referred to as level 1, level 2, and level 3. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values. The most critical level of sensitivity begins with Level 1.

       B.    The CSU Data Classification standard is reproduced in Appendix A.


IV.    ROLES AND RESPONSIBILITIES

       A.    The CSU Office of the Chancellor is responsible for identifying Level 1 information and reviewing the requirements for the protection of Level 1 information on a periodic basis.

       B.      The campus  Information Security Officer is responsible for communicating the content of the data classification standard in to campus organizations and assisting in determination of classification levels for information not listed in the standard.  The Information Security Officer is also responsible for conducting an annual review of this Standard and amending it as appropriate.

       C.    Information Custodians have operational responsibility for the physical and/or electronic security of the information and are generally responsible for granting access to and ensuring the appropriate use of the information.   Information custodians are also responsible for ensuring that access to and protection of information and the file systems that host them are in compliance with all applicable information security policies and standards. In addition, Information Custodians are responsible for identifying protected data and assigning a classification as per the CSU data classification standard.

       D.    University Administrators are university managers and supervisors in the Management Personnel Plan or equivalent in CSUSM auxiliary organizations.  University Administrators are responsible for ensuring compliance with established information security policies, procedures and standards within their respective college, department, administrative area, or organization.

       E.    Information Users are CSUSM Faculty and Staff Members and Employees of Auxiliary Organizations, who in the course and scope of their duties and responsibilities, access, collect distribute, process, store,  use, transmit or dispose of University information assets, are responsible for following established information security policies, procedures, and standards.  Information users are responsible for ensuring that he/she does not put at risk through his or her own actions, any University information for which he/she has be given access. 


V.    INFORMATION PROTECTION MEASURES

In addition to classifying information, protection measures to prevent the unauthorized or unlawful disclosure of campus information assets must be implemented and maintained.   Protection measures are based on the information classification and include an appropriate combination of the following:

  • Physical Access Control (e.g., controlled access to buildings or rooms and appropriate handling, storage and disposal of media)
  • Administrative Access Control (e.g., restrict access on the basis of role or authority)
  • Technical Access Control (e.g., information storage on a secure server and use of privacy enhancing technologies)

Specific protection measures for the handling, transmitting, storage, retention and destruction of information at each classification level are outlined in Appendix B, Information Protection Measures.


APPENDIX A - CSU DATA CLASSIFICATION STANDARD

APPENDIX B - INFORMATION PROTECTION MEASURES

More questions?  Contact the ISO at 760.750.4787