Data Classification Policy

PURPOSE

Information assets and IT resources that contain, distribute, and store data are vital to the systems that support Shepherd University’s ongoing mission of discovery, learning, and engagement. All information assets and IT resources, especially data, must be protected throughout various phases of their useful life, including when created, collected, stored, transferred, purged, and ultimately destroyed. To support its mission, Shepherd University classifies data into three categories: (1) sensitive; (2) protected; and (3) non-sensitive.

POLICY

Shepherd University information assets and IT resources contain various types of data that is to be used holistically and individually in an approved, ethical, and lawful manner to avoid loss and/or damage to Shepherd University data, operations, image, or financial interest. All affiliated data should be considered confidential and proprietary, thus every effort to protect the integrity of all types of data must be made.

SENSITIVE DATA
Sensitive data is highly confidential. Sensitive data is protected by laws, statutes, regulations, guidelines, and contractual language, which is exposed or breached could result in legal damages, fines, penalties, identify theft, and/or financial fraud.

Data examples/elements/fields exhibited as sensitive include, but are not limited to:

• Personally identifiable information (Pii) of a user
• SSNs, Driver’s License numbers, Federal ID numbers, taxpayer ID numbers, Passport numbers
• System account credentials
• Health records
• Financial data – credit/debit card numbers

Collecting Sensitive Data

• Sensitive data may only be collected, maintained, used, or disseminated as necessary to accomplish/adhere to an academic or business purpose of the university or as required by law.
• Departmental units requesting or collecting sensitive data must communicate why the data is being collected, how it will be used, and, if applicable, any consequences of not providing it.
• Individuals have the right to inspect and challenge, correct, or explain their personal information as protected by law.

Sending/Receiving Sensitive Data

• Sensitive data sent or received electronically must be secured using strong data-encryption technology, a secure web transfer, or by utilizing the Secure File Transfer Protocol (SFTP). Other acceptable methods include transferring files between Shepherd University network drives on the university network or by leveraging the university’s secure cloud/web file system. E-mail is not designed to adequately support the transmission of sensitive data securely.
• For releasing sensitive data to an authorized third party, the sender must ensure that said third party is aware of the confidentiality obligations applicable and listed within this policy. Moreover, the third party is aware that Shepherd University reserves the right for a full security review of internal/external data/security/integrity practices of third party outlining how said data will be secured throughout all phases of transit and rest.
• Sensitive data sent in physical form, such as inter-office mail, must be secured in a sealed envelope or by a similar method.
• Faxing sensitive data is permissible provided that the recipient is notified in advance and is available to immediately retrieve the fax following transmission or be able to secure it upon receipt of delivery. All individuals receiving faxed documents containing sensitive data are responsible for securing the document after receipt.

Storing Sensitive Data

• Sensitive data should only be stored on Shepherd University administered servers and approved cloud storage systems. If sensitive data must be stored on a computing device, the data must be encrypted in adherence with Shepherd University IT standards. Assisting with determining the best encryption options, users can contact the Information Privacy Officer.
• Sensitive data being stored by a vendor/third party must adhere to the same standards/recommendations as if being stored on university information assets and/or IT resources.
• Sensitive data saved in non-electronic forms must be protected from unauthorized access in a locked cabinet within a locked office.

PROTECTED DATA
Protected data is information that is protected by laws, statutes, regulations, university policies, or other contractual language, but does not carry the same level of risk as sensitive data.

Data examples/elements/fields exhibited as protected include, but are not limited to:

• Student educational records protected by FERPA (i.e. grades, class lists, schedules, etc.)
• Employment or non-identifiable personnel data
• Performance evaluations

Sending/Receiving Protected Data

• Protected data may be sent/received via the Shepherd University e-mail system. Other acceptable methods include transferring files between network drives, using university cloud/web file system, or opting to leverage a secure file transfer or encryption service.
• Transmission of FERPA protected data using Shepherd University’s e-mail systems must be restricted to recipients with a legitimate educational interest. E-mailing FERPA data to large groups of people is a violation of this restriction, unless it is verified that each recipient has a legitimate educational interest.
• For releasing protected data to an authorized third party, the sender must ensure that said third party is aware of the confidentiality obligations applicable and listed within this policy. Moreover, the third party is aware that Shepherd University reserves the right for a full security review of internal/external data/security/integrity practices of third party outlining how said data will be secured throughout all phases of transit and rest.
• Protected data sent in physical form must be secured in a sealed envelope or similar method.
• Faxing sensitive data is permissible provided that the recipient is notified in advance and is available to immediately retrieve the fax following transmission or be able to secure it upon receipt of delivery. All individuals receiving faxed documents containing sensitive data are responsible for securing the document after receipt.

Storing Protected Data

• Protected data should only be stored on Shepherd University administered servers and approved cloud storage systems. If sensitive data must be stored on a computing device, the data must be encrypted in adherence with Shepherd University IT standards. Assisting with determining the best encryption options, users can contact the Information Privacy Officer.
• Protected data being stored by a vendor/third party must adhere to the same standards/recommendations as if being stored on university information assets and/or IT resources.
• Protected data saved in non-electronic forms must be protected from unauthorized access in a locked cabinet within a locked office.

NON-SENSITIVE DATA
Non-sensitive data is information that may be available to the general public and is defined with no existing local, national, or international legal restrictions on access or usage.

Data examples/elements/fields exhibited as non-sensitive include, but are not limited to:

• Publicly posted press releases
• Publicly posted catalogs, class listings, or schedules
• Public announcements, advertisements, director information, and other freely available data accessible on university websites

PRIVACY, OPERATIONS, and MONITORING

Shepherd University seeks to maintain its IT environment and manage all information assets including data, computing devices, systems technology, telephony, and IT resources in a manner that respects individual privacy and promotes user trust. However, the use of Shepherd University IT resources is not completely private, and users should have no expectation of privacy in connection with the use of any information asset or IT resource.

Shepherd University has the legal right to access, preserve, and review all information stored on or transmitted through any information asset or IT resource, including the inspection of e-mail messages, logging of activities, monitoring usage patterns, and data audits/integrity checks. IT Services may, with or without notice to users, take any other action it deems necessary to preserve, secure, and protect systems, information assets, or IT resources for the betterment of Shepherd University. Without limiting its right to take action, Shepherd University may, it is sole discretion, disclose the results of any general or individual monitoring or access permitted by this policy, including the contents and records of individual communications, to appropriate Shepherd University personnel and/or law enforcement agencies.

SCOPE of AFFECTED PARTIES

This policy applies to all users, such as students, faculty, and staff of Shepherd University and to other persons accessing Shepherd University information assets and/or IT resources including but not limited to authorized agents or community members, regardless of whether such information asset or IT resource is accessed from on-campus or off-campus.

ROLES & RESPONSIBILITIES

All Shepherd University students, faculty, staff, and other parties with access to Shepherd University information assets and IT resources shall be responsible for:

USERS

• Understand and comply with the guidance provided by this policy, as well as applicable compliance programs and affiliated awareness training with all applicable laws, standards, procedures, and university protocols.
• Physically secure and safeguard information assets and IT resources, within the user’s possession and control, including abiding with the safe handling of data.
• Promptly report any suspected violation of this policy, any security events, and/or incidents involving a suspected compromise of a user’s account or IT resource to itworkorder@shepherd.edu.

CIO/CISO – INFORMATION PRIVACY OFFICER

• Oversee and administer this policy.
• Provide authorization and direction to IT Services staff in accordance with this policy.
• Develop awareness and necessary training materials as it pertains to this policy.

IT SERVICES STAFF

• With appropriate authorization, take directed action in accordance with this policy to preserve, secure, and protect the interests of Shepherd University.
• Ensure all associated procedures are followed and documented accordingly when taking any actions outlined in this policy.

RELATED TOOLS

RELATED POLICIES & GUIDELINES
BOG#35: Information Technology Security
Acceptable Use Policy
IT Information Security & Privacy Policy
Password Policy
Social Security Number Guidelines
Work from Home / Remote Access Guidelines

POLICY: Data Classification Policy
IMPACT: Data, Technology, and IT Resources
RESPONSIBLE OFFICE: IT Services
CREATED: November 28, 2022
REVISED: November 28, 2022
APPROVED BY: CIO/CISO – Information Privacy Officer
VERSION: 23.1