Information Classification and Protection Policy

Policy Statement

This policy ensures that the types of information that are in use by the University are identified and classified, and establishes a formal ownership of each type.

Reason for Policy

Information is a critical and valuable asset of Adelphi University and the responsibility to safeguard that information is shared by everyone who has access to it. Some of the information is sensitive in nature, and controls must be put in place to ensure that only authorized persons perform authorized operations (integrity) and that information is not disclosed without proper authorization (confidentiality). This policy ensures that the types of information that are in use by the University are identified and classified and it establishes a formal ownership of each type. The classification is used to ensure that all information is protected at appropriate levels.

Who Is Governed by this Policy

All end-user and application management accounts on computerized information systems operated by or on behalf of Adelphi University.

Policy

Classification

1. The Information Security Officer manages the information classification and identification process.
2. The Information Security Officer publishes standards and guidelines for classifying information.
3. The Information Owner is responsible for the identification and classification of information assets.

Ownership

1. All information assets must have a clearly designated Information Owner, who is responsible for making informed decisions regarding the security of the information asset (with regards to confidentiality and integrity), and possesses the authorization to do so.
2. A directory of Information Owners will be maintained by the Chief Information Officer.
3. The Information Owner must review the classification of the information assets for which she or he is responsible at least once per year or more often if circumstances require.
4. 首席信息干事将担任信息保管人，并代表信息所有人操作和维持计算机化信息系统。
5. The Chief Information Officer and the Information Owner share responsibility for identifying the information systems that are used to process the information they control.
6. The ownership of information assets without a clearly designated owner defaults to the Chief Information Officer.

Protection

1. 任何能够访问信息资产的人都必须按照其分类加以保护。
2. The Information Owner is responsible for defining criteria and/or guidelines that can be used to determine if, and in which form, access to sensitive information is allowed, in accordance with its classification.
3. Entities that are authorized to grant access to information must be appointed by the Information Owner. The appointment must include:
   1. The type of information for which the entity may grant permission
   2. The actions for which the entity may grant permission.
   3. 当批准对信息的访问的授权过期并不再被认为是有效的日期或条件。
4. Permission to access sensitive information must be explicitly granted by authorized entities. Access to sensitive information should only be granted on a need-to-use basis, and within the requirements imposed by federal or state laws. The approval must include:
   1. Acceptable actions to be taken with the data (e.g., read, copy, create, etc.)
   2. Retention requirements, specifying how long data is allowed to be retained;
   3. Disposal requirements, specifying how data must be disposed of when it is no longer needed
   4. A date or condition when the approval expires and is no longer considered valid.
5. Any misuse, or accidental or unauthorized disclosure must be reported immediately to the Information Security Officer.

Guidance

The confidentiality of information assets must be classified as follows:

Classification	Description
Regulated	Information assets are considered regulated when required by law or contract, or when they are deemed to be of a nature that uncontrolled disclosure would cause significant harm to the University. Examples of protected information are (but are not limited to): personal identity information (PII), student educational records (FERPA rules), credit card data (PCI DSS requirements), protected health information (HIPAA requirement), etc.
Protected	Information assets are considered protected when uncontrolled disclosure would cause minor harm to the University.
Public	信息资产被认为是公开的，当信息的披露不需要授权，或当披露不会造成损害。

The integrity of information assets must be classified as follows:

Classification	Description
Critical	Information assets are considered critical when modification (including creation and/or deletion) must be controlled and unauthorized modification has a significant negative impact on the University. Examples of critical information are grades, payroll information, enrollment records, etc.
Controlled	Information assets are considered Controlled when access to modify the information must be controlled, but unauthorized modification has at most a minor negative impact on the University.
Uncontrolled	Information are considered uncontrolled when modification (including creation and/or deletion) does not need to be controlled or when modification does not cause harm.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action imposed by the Office of Human Resources. Violations of this policy by students will be addressed through the Student Disciplinary Process.

Deviation From This Policy

Permission to deviate from this policy may be granted or revoked by the Information Security Officer.

Definitions

Information Owner: A person or role who is authorized to make informed decisions regarding a particular class of information.

Forms

This policy does not have forms associated with it at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Related Information

This policy does not have related information at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Document History

• Last Reviewed Date: Fall 2017
• Last Revised Date: Fall 2017
• Policy Origination Date: August 19, 2009

Who Approved This Policy

Office of Information Technology