State Board | Policies and Procedures
SP 6-10k – Data Classification, Handling, and Protection
COLORADO COMMUNITY COLLEGE SYSTEM
SYSTEM PROCEDURE
Data Classification, Handling, and Protection
SP 6-10k
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCE(S): Board Policy (BP) 6-10, Cyber Security Policy
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
Basis
This procedure documents the requirements by which the Colorado Community College System and its Colleges (“CCCS”) classify information, including the handling and protection of that information, regardless of media type.
Application
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Assets, owned or leased by CCCS.
Definition
Personally Identifiable Information (PII)
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
- Social security number
- State issued driver’s license number or identification card number
- Financial account number and other personal financial information
- Credit card number
- Medical and/or health insurance information
- Employee or Student ID number
Procedure
The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
Data Classification
Data shall be consistently protected along its lifecycle (creation to disposal) according to its level of sensitivity, criticality, and business “need to know.” Data owned, received, used, created, or maintained by CCCS shall be classified into the following three categories:
- Public: Data is classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to CCCS. This classification should include data, information, materials and other assets that are intended for public circulation. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
- Sensitive: Data is classified as Sensitive when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to CCCS. By default, all data that is not explicitly classified as Restricted or Public data should be treated as Sensitive data. A reasonable level of security controls should be applied to Sensitive data and Sensitive data is intended for access and release on a need-to-know basis. Upon appropriate request (e.g., Colorado Open Records Act request,) it will be released in a controlled and lawful manner.
- Restricted: Data is classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to CCCS. Restricted data includes data protected by state or federal privacy laws and data protected by confidentiality agreements. The highest level of security controls must be applied to Restricted data.
Examples of data that falls into each of the above classifications are included in Appendix A to this procedure.
Data Handling
CCCS data, regardless of media, shall be handled in accordance with applicable laws and regulations. In addition, CCCS will provide safe and secure methods of handling data to prevent the inadvertent or malicious disclosure of Sensitive or Restricted information.
- Sensitive or Restricted data stored on paper must be secured during non-business hours.
- Sensitive or Restricted data should not be stored on removable media.
- Access to Sensitive or Restricted information shall be restricted based on a “need to know.”
- Authentication data (e.g., passwords) shall be protected and not transmitted without the use of encryption.
Removable Media
Sensitive or Restricted information may not be stored on removable media. Removable media includes flash memory devices such as thumb drives, cameras, MP3 players and PDAs; removable hard drives (including hard drive-based MP3 players); and optical disks such as CD and DVD disks.
Encryption
CCCS shall deploy encryption solutions on Information Systems that store or transmit Sensitive or Restricted information.
Revising this Procedure
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.
Appendix A – Data Classification Examples
| Domain | Restricted | Sensitive | Public |
| Cross-domain identifiers | SSN
Student ID numbers |
Non-public policies | Marketing materials for public consumption |
| Student | Driver’s license, passport, credit card or banking information, Individual grades, academic transcript, class schedule, advising notes | Student name, Major, Degree
Student Directory Information under the Family Educational Rights and Privacy Act (FERPA) and SP 4-80a, Address, Phone numbers, date of birth |
|
| Human Resources | I-9 Form data; Payroll direct deposit account number | Employee home address,
Employee offer letters, other personnel information, employee compensation |
Employee name, General employee benefit plans
|
| Health | Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) | ||
| Facilities | Detailed floor plans showing gas, water, sprinkler shut-offs, hazardous materials | Campus map showing buildings, names, addresses, parking, lighted pathways, emergency phones, etc. |