Information Classification Standard

1.0 Reference
This standard supports Portland Community College’s Privacy Policies regarding (ORS 341.290 [17]) Student records B407, Confidentiality, Solomon Act, Family Educational Rights and Privacy Act of 1974 (Statute: 20 U.S.C. 1232g; Regulations: 34 CFR Part 99) also known as the Buckley Amendment, Oregon Identity Theft Protection Act – Oregon Revised Statute 646A.600,  Portland Community College Information Classification Standard, HIPAA Privacy Notice, Fair and Accurate Credit Transaction Act of 2003 (FACTA), and the Payment Card Industry-Data Security (PCI-DSS) Standard. This standard replaces the Administrative Electronic Information Policy.
2.0 Overview
Information drives academic freedom and must be protected appropriately. An information classification standard is necessary to provide a framework for securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, removal, or denial of legitimate services. This standard outlines measures and responsibilities required for securing information and information resources based on risk. It shall be carried out in conformity with state and federal law.
This standard is the bedrock of PCC's information security policies and standards, and is consistent with PCC's data management and records management standards. PCC recognizes that the value of its data resources lies in their appropriate and widespread use.
3.0 Purpose
The purpose of this standard is to create a priority structure for the protection of information that PCC deems critical to its core mission of providing superior education to the community. This will enable all departments to apply safeguards commensurate with the level of protection required without placing unnecessary restrictions to data access or use for those individuals who use the data in support of PCC business or academic pursuits.
4.0 Scope
This standard applies to all PCC enterprise-level administrative data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data resides (including servers, document safes and cabinets, personal computers, mini-computers, mobile-devices etc.). The standard applies regardless of the media on which data reside (including paper, electronic, microfiche, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).
5.0 Standard
Information must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data Protection Guidelines will be implemented commensurate with data value, sensitivity, and risk.
To implement security at the appropriate level, establish guidelines for legal/regulatory compliance, and reduce or eliminate conflicting standards and controls over data, data will be classified into one of the following categories:
5.1.1 Non-critical information -
An encompassing term for information considered public and non‑confidential in nature. Non‑critical information is not subject to protection or Data Handling Procedures.
5.1.2 Critical information -
An encompassing term for information considered valuable to some degree to PCC. Critical information is the basis of data classification. Classification levels are control labels based on the value of the information, degree of protection required, and the degree of damage that unauthorized disclosure would cause. Critical information is not releasable on demand without due process. PROTECTED information -
Information considered valuable to PCC but not requiring confidentiality controls. UNCLASSIFIED information may have additional departmental controls on the handling, collection, processing, and/or distribution. Examples of this would include destruction or storage dates/instructions, rare historical documents, copyrighted materials, and special instructions such as conditional access provisions. ACADEMIC information -
A classification of critical information controlled for academic purposes to maintain academic freedom. This does not include student personal identification. It deals with faculty lesson and testing content. This includes but is not restricted to test banks, quizzes, sequential lesson material, answer keys, or research conducted by faculty affiliated with PCC or research conducted on the premises with other institutions. It also can include information regarding academic thesis research by faculty.
Academic information disclosure can degrade the integrity of grades, the reputation of PCC, the student body, and faculty as a whole. It can also cause enormous financial losses and penalties due to the illicit exploitation of research. INTERNAL information -
A classification of critical information considered medium to high risk, because the exposure of this information can cause serious harm to PCC. Information in this category is largely proprietary and operational in nature. This includes information about PCC-related activities. Examples include detailed information about some information technology infrastructure, PCC buildings, security procedures, activities or events, information about future PCC development plans, and grant information. CONFIDENTIAL information -
A classification of critical information considered high risk, either because the exposure of this information can cause tremendous harm to an individual or PCC or because the information is specifically protected under law or contract (e.g. HIPAA, FERPA, GLBA, PCI, and ORS 646.600 Oregon's Identity Theft Protection Act). This includes information that can be linked, directly or indirectly, to individual people. SSNs, credit card numbers, financial information, personally identifiable medical information, personal addresses, and personally identifiable academic information fall into this category.
Data in these categories will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business functions of the PCC, result in financial loss, or violate law, policy or PCC contracts.
The following roles and responsibilities are established for carrying out data standard:
5.2.1 Data User:
Data users are individuals who need and use PCC data as part of their assigned duties or in fulfillment of assigned roles or functions within the PCC community. Individuals who are given access to sensitive data have a special position of trust and are responsible for protecting the security and integrity of those data and should exercise due care in using the institution's accessing information systems and to protect files from unauthorized use, disclosure, alteration, or destruction. Each person is responsible for security, privacy, and control of their own data.
5.2.2 Data Originator:
Originators have Original Classification Authority (OCA) to set the initial classification level of a piece of information they create in whole or in part. Only Data Trustees have the authority to revise a classification level. Note: Data Originators do not have the authority to downgrade CONFIDENTIAL Information since the protections required are usually the result of legal or contractual requirements.
5.2.3 Data Steward:
Data Stewards are PCC officials having direct operational-level responsibility for information management – usually department managers, and designated system analysts. Data Stewards are responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees, and implementing and administering controls over the information.
5.2.4 Data Trustee:
Data Trustees (formerly: Custodians) are senior PCC officials (or their designees) who have planning and high-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Data Trustees are ultimately responsible for the accuracy and protection of data in their areas. Responsibilities include assigning data stewards, participating in establishing standards, practices, and accountability.
Clarification of roles in data classification is the responsibility of the Information Security Manager in conjunction with the Data Trustees. Data Trustees, Stewards, and roles are identified in the Information Security Roles and Functional Areas List.
6.0 Enforcement
Any employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment. Any non-PCC employee using PCC’s network services found to have violated this standard may have their access terminated. Depending on circumstances, students may be subject to disciplinary action.
Any user who violates this standard may be held liable for damages to PCC assets, which may include and not be limited to the loss of information, computer software and hardware, lost revenue due to down time, fines and judgments imposed as a direct result of the failure of the user to adhere to this standard.
7.0 Definitions
Access Control List; a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall but with less functionality.
Authentication –
Process of verifying one’s digital identity. For example, when someone logs into myPCC, the password verifies that the person logging in is the owner of the account. The verification process is called authentication.
Authorization –
granting access to resources only to those authorized to use them.
Availability –
Ensures timely and reliable access to and use of information.
Confidentiality –
Preserves authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Criticality –
Indicates the data’s level of importance to the continuation of normal operation of the institution, or for compliance with law. The more critical the data is, the greater the need to protect it.
Firewall –
A specialized hardware and/or software system that filters network traffic to control access to a resource, such as a database server, and thereby provide protection and enforce security policies. A router with ACLs is not considered a firewall.
Integrity –
Guards against improper modification or destruction of information, and ensures non-repudiation and authenticity.
Secure Data Center –
A facility managed by full-time IT professionals for housing computer, data storage, and/or network equipment with 24x7 restricted access, environmental controls, power protection, and firewall protection.
Sensitivity –
Indicates the required level of protection from unauthorized disclosure, modification, fraud, waste, or abuse due to potential adverse impact on an individual, group, institution, or affiliate. Adverse impact could be financial, legal, or on one’s reputation or competitive position. The more sensitive the data is, the greater the need to protect it.
PCC Data –
Any data related to Portland Community College ("PCC") functions on PCC information technology systems, specifically, a) stored b) maintained by PCC faculty staff, or students, or c) related to institutional processes on or off campus.
Virtual Private Network; a VPN provides a secure communication channel over the Internet that requires authentication to set up the channel and encrypts all traffic flowing through the channel.
8.0 Revision History
Version 1.0 May XX, 2009