SP 6-10k – Data Classification, Handling, and Protection

Colorado Community College System / System Procedure


SP 6-10k

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCE(S): Board Policy (BP) 6-10, Cyber Security Policy

APPROVED:

/ Joe Garcia /
Joseph A. Garcia
Chancellor

BASIS

This procedure documents the requirements by which the Colorado Community College System and its Colleges (“CCCS”) classify information, including the handling and protection of that information, regardless of media type.

APPLICATION

This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Assets, owned or leased by CCCS.

DEFINITION

Personally Identifiable Information (PII)
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

  • Social security number
  • State issued driver’s license number or identification card number
  • Financial account number and other personal financial information
  • Credit card number
  • Medical and/or health insurance information
  • Employee or Student ID number

PROCEDURE

The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

Data Classification
Data shall be consistently protected along its lifecycle (creation to disposal) according to its level of sensitivity, criticality, and business “need to know.” Data owned, received, used, created, or maintained by CCCS shall be classified into the following three categories:

  • Public: Data is classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to CCCS. This classification should include data, information, materials and other assets that are intended for public circulation. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
  • Sensitive: Data is classified as Sensitive when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to CCCS. By default, all data that is not explicitly classified as Restricted or Public data should be treated as Sensitive data. A reasonable level of security controls should be applied to Sensitive data and Sensitive data is intended for access and release on a need-to-know basis. Upon appropriate request (e.g., Colorado Open Records Act request,) it will be released in a controlled and lawful manner.
  • Restricted: Data is classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to CCCS. Restricted data includes data protected by state or federal privacy laws and data protected by confidentiality agreements. The highest level of security controls must be applied to Restricted data.

Examples of data that falls into each of the above classifications are included in Appendix A to this procedure.

Data Handling
CCCS data, regardless of media, shall be handled in accordance with applicable laws and regulations. In addition, CCCS will provide safe and secure methods of handling data to prevent the inadvertent or malicious disclosure of Sensitive or Restricted information.

  • Sensitive or Restricted data stored on paper must be secured during non-business hours.
  • Sensitive or Restricted data should not be stored on removable media.
  • Access to Sensitive or Restricted information shall be restricted based on a “need to know.”
  • Authentication data (e.g., passwords) shall be protected and not transmitted without the use of encryption.

Removable Media
Sensitive or Restricted information may not be stored on removable media. Removable media includes flash memory devices such as thumb drives, cameras, MP3 players and PDAs; removable hard drives (including hard drive-based MP3 players); and optical disks such as CD and DVD disks.

Encryption
CCCS shall deploy encryption solutions on Information Systems that store or transmit Sensitive or Restricted information.

REVISING THIS PROCEDURE

CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.

APPENDIX A – DATA CLASSIFICATION EXAMPLES

DomainRestrictedSensitivePublic
Cross-domain identifiersSSN
Student ID numbers
Non-public policiesMarketing materials for public consumption
StudentDriver’s license, passport, credit card or banking information, Individual grades, academic transcript, class schedule, advising notesStudent name, Major, Degree
Student Directory Information under the Family Educational Rights and Privacy Act (FERPA) and SP 4-80a,
Address, Phone numbers, date of birth
Human ResourcesI-9 Form data; Payroll direct deposit account numberEmployee home address,
Employee offer letters,
other personnel information, employee compensation
Employee name, General employee benefit plans
HealthProtected Health Information under the Health Insurance Portability and Accountability Act (HIPAA)
FacilitiesDetailed floor plans showing gas, water, sprinkler shut-offs, hazardous materialsCampus map showing buildings, names, addresses, parking, lighted pathways, emergency phones, etc.