Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
All institutional data should be classified into one of three sensitivity levels, or classifications:
|Data Class||Adverse Business Impact||Definition and examples|
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the College, including data elements that have a
statutory requirement for notification
to affected parties in case of a confidentiality breach:
- Social security number
- Driver's license number or Arkansas identification card number;
- Financial account numbers, credit or debit card number financial account security codes, access codes, or passwords
- Personal medical information
- Personal health insurance information
The highest level of security controls should be applied to Restricted data.
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College.
This level of information is intended for release only on a need-to-know basis, including personal information not classified as Restricted. Examples include:
- FERPA student records (including Student ID)
- Staff and academic personnel records (including Employee ID)
- Licensed software/software license keys
- Library paid subscription electronic resources
By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data.
A reasonable level of security controls should be applied to Private data.
|Public||Limited or none|
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the College.
Examples of Public data include:
- Public directory information
- Public websites
- Press releases
- Course listings and pre-requisites
While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.