Information Security: Data Classification
Missouri State University classifies its data and use into four (4) levels:
- Level 1: Public Information
- Level 2: Sensitive Information
- Level 3: Restricted Information
- Level 4: National Security Interest
To handle data properly it is important employees know the various data types and what laws or standards, if any, might govern their use. Some data must be kept private under laws such as FERPA (student educational data), HIPAA (personal health information), and HHS Title 45 CFR Part 46 - Protection of Human Subjects (research supported by a federal agency), and some data is governed by industry standards such as PCI-DSS (credit card information). Some data is considered directory information which can be made available to the general public.
To assist in determining how to handle the various forms of information used throughout the campus community, the University has defined four (4) levels of information: Public, Sensitive, Restricted, and National Security Interest.
Level 1: Public Information:
Public data has been explicitly approved for distribution to the public. This information may be freely disseminated without a significant risk of harm to the University or its affiliates.
Examples: Advertising, product and service information, directory information, job postings, and press releases.
Level 2: Sensitive Information:
For non-university employees, explicit approval by the University’s Records Custodian is needed in order to receive access to sensitive information. Sensitive data elements include those which Missouri State protects to mitigate institutional risk, or which has been classified otherwise as Sensitive. Good faith acquisition or distribution of Sensitive Information by or between the University agents or employees for a legitimate purpose is allowed, provided that the information is not used in violation of applicable law or in a manner that harms or poses a reasonable threat to the security, confidentiality or integrity of the personal information. When a risk of identity theft or other fraud is not reasonably likely to occur with an unauthorized disclosure of this information, notification of affected individuals will not be required. Application of this exception will be documented in writing for each event in accordance with RSMo 407.1500.2(5).
Examples: Budget information, departmental policies and procedures, procurement, documentation, research that has not been completed or published, vendor documentation, contracts, and BearPass Number (formerly M-number).
Level 3: Restricted Information:
Restricted information is that which Missouri State has a legal, contractual or proprietary obligation to protect. For university employees, access to restricted data elements is determined by business process. For non-university employees, access shall be determined by the University’s Records Custodian in conjunction with the General Counsel’s office. Unauthorized disclosure of information at this level will often require notification of affected individuals in accordance with applicable statutes, however, the exception noted in Level 2, above, may apply in some circumstances.
Examples: Social Security Numbers, personnel records, credit card numbers, medical records, student data that is not considered directory information, BearPass Login (formerly Private ID) with password, information protected by non-disclosure agreements, and confidential research.
Level 4: National Security Interest (NSI):
National security interest data is data that has been classified by a third party as having the potential to impact national security. Individuals managing or accessing NSI data are responsible for complying with the requirements for levels 1, 2, 3 and 4, National Security Decision Directives and other Federal Government directives for data and systems that are classified. Security procedures are specified by the source agency that provides the information.
Examples: Under the jurisdiction of export control laws or the National Industrial Security Program, conducted for federal agencies concerned with national security, such as the Department of Defense.
Reason or purpose for policy
To establish policy for the classification and use of University data and the responsibilities for the protection of such data. While performing job duties at Missouri State University, all employees will require access to many types of information or data, some of which may be considered sensitive (e.g., budget information) or restricted (e.g., social security numbers). It is important that faculty, staff, graduate assistants and student workers understand their responsibilities for identifying, transmitting, redistributing, storing, or disposing of these levels of information.
Entities affected by this policy
All entities contained in or under the direction of the Missouri State University system.
Line of authority
Responsible administrator and office: Chief Information Officer (CIO)
Contact person in that office: Information Security Officer (ISO)
January 23, 2012