Skip to main content

Search

Information Classification and Handling Policy (ICH)

 

INFORMATION CLASSIFICATION AND HANDLING POLICY (ICH)

November 10, 2023

 

FOR

 

University West Alabama

 

change log

This record shall be maintained throughout the life of the document. Each published update shall be recorded. Revisions are a complete re-issue of entire document.

CHANGE / REVISION RECORD
Date Description of Change Made By:
09/15/2023 Initial Creation Loren Larson
11/10/2023 Updated Loren Larson
     
     
     
     
     
     
     
     
     
     
     

 

 

 

Contents

1     Overview.

1.1     Purpose.

1.2     Scope.

2     Information Classification Policy.

2.1     Purpose.

2.2     Applicability.

2.3     General Information Classification Types.

2.4     General Information Classification Types.

3     Information Handling Policy.

3.1     Purpose.

3.2     Applicability.

3.3     Required Handling Activities by Classification Types.

 

 

1        Overview

This document sets forth the information/data classification and handling requirements for the University of West Alabama (UWA).

 

1.1      Purpose

The UWA Cybersecurity Information Classification and Handling Policy establishes UWA’s data classification and protection of information based on legal requirements, value, criticality of and sensitivity to unauthorized disclosure or modification.

 

1.2      Scope

This document applies to UWA, and it covers UWA Office of Information Technology (OIT) supported information systems.  This directive applies to all users of UWA information resources, systems, and networks. This directive applies to all UWA employees and contingent workers.

 

This policy documents covers two areas:

  • Information Classification
  • Information Handling

 

 

2        Information Classification Policy

2.1      Purpose

This policy provides the guidelines to classify UWA information based on legal requirements, value, criticality of and sensitivity to unauthorized disclosure or modification.

2.2      Applicability

This directive applies to all UWA employees and contingent workers.

2.3      General Information Classification Types

The Information Classification Policy classifies information into three categories: Public, Internal, and Confidential. The following table defines these categories and provides examples of each.

 

 

Classification Public Internal Confidential
Definition
  • Information that may be disclosed to any person regardless of their affiliation with UWA.
  • Applies to data that do not require any level of protection from disclosure.
  • Information that is not intended to be shared with the public.
  • Information that is intended for internal use only.
  • Default classification
  • Information that, if disclosed to unauthorized parties, would require notification of the impacted population, state, or federal authorities.
  • Information that could provide a pathway for unauthorized individuals to access UWA systems.
  • Documents protected by Attorney Client Privilege
 
Examples
  • Public facing web pages
  • Press releases
  • Job postings
  • Promotional information
  • Administrative regulations
  • Published research
  • Campus maps
  • Intranet information
  • Standards and procedures
  • Inventory listings
  • Files concerning internal activities
  • Nonpublic contracts
  • Research in process
  • Student and employee ID numbers
  • Userids
 
  • Computer passwords
  • Social security numbers
  • Date of birth
  • Credit card information
  • Bank account information
  • Student transcripts and related content
  • Attorney/client privileged information
  • Grade information

 

 

2.4      General Information Classification Types

The following table contains examples of data elements pertaining to specific regulations which when taken as standalone or in combination with other identifiers may be classified as Confidential Information.

 

 

 

Regulation Data Element Examples
HIPAA:  Protected Health Information (PHI)
  • Patient name
  • Patient contact information (address, phone, and fax numbers, email, URL, IP address)
  • Dates (except year) of service
  • Social security numbers
  • Health conditions, symptoms, and prescriptions
  • Account and medical record numbers
  • Health plan beneficiary information
  • Certificate and license numbers
  • Device identification and serial numbers
  • Biometric identifiers (ex. Fingerprint, retinal scans)
  • Any other unique identifying number, characteristic, or code
  • Payment guarantor’s information and patient billing records
FERPA[1]:  Personally Identifiable Education Records
  • Detail of registration information (e.g. courses, times)
  • Test scores, completed assignments and grades
  • Advising records
  • Disciplinary actions
  • Social security numbers
GLBA[2]: Financial Services Modernization Act of 1999 Personally Identifiable Financial Information (PIFI)
  • Employee financial account information
  • Student financial account information (e.g., aid, grants, bills)
  • Individual financial information
  • Business partner and vendor financial account information and social security numbers
  • Contract information (e.g., between UWA and a third party)
PCI DSS Payment Card Industry Security Standard Personally Identifiable Information (PII)
  • Cardholder name
  • Personal Account Number (PAN)
  • Expiration date
  • Service code (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction; the service code is not to be confused with the CVV code that is printed on the back of the credit card)
Other Regs
  • First name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:
  • Social Security Number
  • Driver’s license number or nonoperating identification license
  • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account

 

 

 

 

3        Information Handling Policy

3.1      Purpose

This policy specifies the handling requirements for protecting UWA information based on legal requirements, value, criticality of and sensitivity to unauthorized disclosure or modification.

3.2      Applicability

This policy applies to all UWA employees and contingent workers and provides a framework for handling UWA’s information and defines the required activities for protection of information by classification type. 

 

This policy is not all inclusive and does not consider all possible scenarios.

 

The Information Security Office and/or the Privacy Office should be consulted for guidance for scenarios not covered by the principles described in this document.

 

3.3      Required Handling Activities by Classification Types

 

The following tables describe the required safeguards for protecting information based on its classification.

 

  Public Internal Confidential
Collection and Access  
Collect only the minimum required amount of information to fulfill institutional responsibilities Required Required Required
Limit access to information to those with a “need to know” based on institutional responsibilities Required Required Required
Access only the minimum amount of information required to fulfill institutional responsibilities. Required Required Required

 

 

  Public Internal Confidential
Authorization and Authentication  
Access to information should be granted only to those authorized by the data owner. Recommended Required Required
Usernames and passwords are used to control access to institutional systems. Required Required Required

 

 

 

  Public Internal Confidential
Discussion and Disclosure  
Limit information disclosure and discussion to the minimum amount necessary. Recommended Required Required
Disclose information only when necessary and to the extent that such disclosure is consistent with UWA Administrative Regulations, Governing Board Policy, and required by law. Recommended Required Required

 

 

  Public Internal Confidential
Transmission and Transport  
Use secure methods to transmit information (e.g. HTTPS, SSH, SFTP, etc.). Not Required Recommended Required
Secure and safeguard information (including devices containing the information) during transport. Recommended Required Required

 

 

  Public Internal Confidential
Encryption  
Encrypt email sent externally from UWA email addresses to non-UWA email addresses (to third parties). Not Required Recommended Required
Encrypt email sent internally from UWA email addresses to UWA email addresses. Not Required Not Required Required
Encrypt information stored on removable media (e.g., flash drives, external hard drives, optical media, etc.) Not Required Required Required
Encrypt information stored in institutional databases. Not Required Recommended Required
Encrypt information sent to external entities. Not Required Recommended Required
On mobile devices where the option is supported, full-disk encryption should be applied (e.g., laptops and tablets). Required Required Required

 

 

  Public Internal Confidential
Storage  
Information is stored in permission-restricted file shares Recommended Required Required
Copies or duplicates of information are minimized or eliminated. Required Required Required
Documents are stored in a physically secure area or location (e.g., locked cabinet or drawer, behind a locked door, a safe, etc.). Not Required Recommended Required

 

 

  Public Internal Confidential
Physical Security and Labeling  
Lock workstations, laptops, tablets, etc. when unattended. Required Required Required
Information is printed to printers in secure locations restricted to those with a “Need-to-know”.  Documents are not left unattended. Recommended Recommended Required
When the option is available, information is labeled according to classification. Not Required Recommended Required

 

 

  Public Internal Confidential
Retention and Disposition      
Documents are shredded when no longer needed. Not Required Required Required
Hard drives and removable media are securely erased, purged, or sanitized when repurposed for use within UWA according to the methods described in NIST Special Publication 800-88: Guidelines for Media Sanitization. Required Required Required
Hard drives and removable media are securely erased, purged, sanitized, degaussed, or destroyed when disposed of according to the methods described in NIST Special Publication 800-88: Guidelines for Media Sanitization. Required Required Required

 

 

 

 

[1] FERPA rights apply to all students who are or have attended UWA. FERPA does not apply to applicants who are denied admission or to those applicants who were accepted but did not attend.

 

[2] GLBA - Colleges and universities, defined as financial institutions for purposes of the Act, are not subject to the privacy provisions of the Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer records and information.

Powered by Zendesk