Data Classification Standards
The information we store on our computers is essential to the business of managing the institution. The process of information classification seeks to assign a descriptive value to campus information. That value is then used to implement practices and controls that will help to protect the information from unauthorized use, access, disclosure, modification, loss or deletion.
The California State University San Marcos (CSUSM) Information Classification and Protection Standard is derived from the CSU-wide Information Security Policy and Standards. These were developed in compliance with Federal and State laws and regulations governing the privacy and confidentiality of information and provide guidance to the classification and protection of university information.
The CSUSM Information Classification and Protection Standard applies to:
III. Data Classification Standard
A. The California State University (CSU) has identified three classification levels that are referred to as level 1, level 2, and level 3. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values. The most critical level of sensitivity begins with Level 1.
B. The CSU Data Classification standard is reproduced in Appendix A.
IV. ROLES AND RESPONSIBILITIES
A. The CSU Office of the Chancellor is responsible for identifying Level 1 information and reviewing the requirements for the protection of Level 1 information on a periodic basis.
B. The campus Information Security Officer is responsible for communicating the content of the data classification standard in to campus organizations and assisting in determination of classification levels for information not listed in the standard. The Information Security Officer is also responsible for conducting an annual review of this Standard and amending it as appropriate.
C. Information Custodians have operational responsibility for the physical and/or electronic security of the information and are generally responsible for granting access to and ensuring the appropriate use of the information. Information custodians are also responsible for ensuring that access to and protection of information and the file systems that host them are in compliance with all applicable information security policies and standards. In addition, Information Custodians are responsible for identifying protected data and assigning a classification as per the CSU data classification standard.
D. University Administrators are university managers and supervisors in the Management Personnel Plan or equivalent in CSUSM auxiliary organizations. University Administrators are responsible for ensuring compliance with established information security policies, procedures and standards within their respective college, department, administrative area, or organization.
E. Information Users are CSUSM Faculty and Staff Members and Employees of Auxiliary Organizations, who in the course and scope of their duties and responsibilities, access, collect distribute, process, store, use, transmit or dispose of University information assets, are responsible for following established information security policies, procedures, and standards. Information users are responsible for ensuring that he/she does not put at risk through his or her own actions, any University information for which he/she has be given access.
V. INFORMATION PROTECTION MEASURES
In addition to classifying information, protection measures to prevent the unauthorized or unlawful disclosure of campus information assets must be implemented and maintained. Protection measures are based on the information classification and include an appropriate combination of the following:
Specific protection measures for the handling, transmitting, storage, retention and
destruction of information at each classification level are outlined in Appendix B,
Information Protection Measures.
APPENDIX A - CSU DATA CLASSIFICATION STANDARD