Handling Protected Data
Data Classification Standards
I. INTRODUCTION
The information we store on our computers is essential to the business of managing the institution. The process of information classification seeks to assign a descriptive value to campus information. That value is then used to implement practices and controls that will help to protect the information from unauthorized use, access, disclosure, modification, loss or deletion.
The California State University San Marcos (CSUSM) Information Classification and Protection Standard is derived from the CSU-wide Information Security Policy and Standards. These were developed in compliance with Federal and State laws and regulations governing the privacy and confidentiality of information and provide guidance to the classification and protection of university information.
II. SCOPE
The CSUSM Information Classification and Protection Standard applies to:
- All information in written format that is collected, generated, and/or maintained
by CSUSM and CSUSM auxiliary organizations except where superseded by grant, contract,
or federal copyright law
Written format means any handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting of electronic mail or facsimile, and every other means of recording upon any tangible thing, and any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combinations thereof, and any record thereby created, regardless of the manner in which the record has been stored.
III. Data Classification Standard
- The California State University (CSU) has identified three classification levels that
are referred to as level 1, level 2, and level 3. Although all the enumerated data
values require some level of protection, particular data values are considered more
sensitive and correspondingly tighter controls are required for these values. The
most critical level of sensitivity begins with Level 1.
- The CSU Data Classification standard is reproduced in Appendix A.
IV. ROLES AND RESPONSIBILITIES
- The CSU Office of the Chancellor is responsible for identifying Level 1 information
and reviewing the requirements for the protection of Level 1 information on a periodic
basis.
- The campus Information Security Officer is responsible for communicating the content
of the data classification standard in to campus organizations and assisting in determination
of classification levels for information not listed in the standard. The Information
Security Officer is also responsible for conducting an annual review of this Standard
and amending it as appropriate.
- Information Custodians have operational responsibility for the physical and/or electronic
security of the information and are generally responsible for granting access to and
ensuring the appropriate use of the information. Information custodians are also
responsible for ensuring that access to and protection of information and the file
systems that host them are in compliance with all applicable information security
policies and standards. In addition, Information Custodians are responsible for identifying
protected data and assigning a classification as per the CSU data classification standard.
- University Administrators are university managers and supervisors in the Management
Personnel Plan or equivalent in CSUSM auxiliary organizations. University Administrators
are responsible for ensuring compliance with established information security policies,
procedures and standards within their respective college, department, administrative
area, or organization.
- Information Users are CSUSM Faculty and Staff Members and Employees of Auxiliary Organizations, who in the course and scope of their duties and responsibilities, access, collect distribute, process, store, use, transmit or dispose of University information assets, are responsible for following established information security policies, procedures, and standards. Information users are responsible for ensuring that he/she does not put at risk through his or her own actions, any University information for which he/she has be given access.
V. INFORMATION PROTECTION MEASURES
In addition to classifying information, protection measures to prevent the unauthorized or unlawful disclosure of campus information assets must be implemented and maintained. Protection measures are based on the information classification and include an appropriate combination of the following:
- Physical Access Control (e.g., controlled access to buildings or rooms and appropriate handling, storage and disposal of media)
- Administrative Access Control (e.g., restrict access on the basis of role or authority)
- Technical Access Control (e.g., information storage on a secure server and use of privacy enhancing technologies)
Specific protection measures for the handling, transmitting, storage, retention and destruction of information at each classification level are outlined in Appendix B, Information Protection Measures.