Data Classification and Protection Policy
Version 3.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to establish a framework for classifying institutional data based on its level of sensitivity, value, and criticality to the University. Classification will aid in determining baseline security controls for the protection of data.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- All University data must be classified into one of three classifications after the creation or acceptance of ownership by the University: Fordham Protected Data, Fordham Sensitive Data, or Public Data.
- Data classification will aid in determining security controls for the protection and use of data to ensure:
- The University's statutory, regulatory, legal, contractual, and privacy obligations are met,
- Government and regulatory agency reporting is conducted per any legislative, regulatory, and legal requirements,
- The University's proprietary data is protected as required,
- Data is appropriately available for decision-making as required, and
- Relevant data and information are shared (including third parties) with the necessary safeguards.
- If data is created jointly by more than one department, all involved departments must cooperatively classify the data. If the departments are unable to agree on the classification, the data is classified as Fordham Sensitive Data and remains designated as Fordham Sensitive Data until the Data Owners reach an agreement to reclassify the data or until administrators (e.g., Data Standards Committee, area Vice Presidents) with authority adjusts the classification.
- Data owners must assess the level of risk according to the probability that harm will occur and the extent of that harm should the data be lost, stolen, or accessed by unauthorized parties.
- Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this and related policies.
Definitions
Data Classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact on the University should that data be disclosed, altered, or destroyed without authorization.
Data Owner(s) are responsible for the information, security, and use of a particular set of information.
Fordham Protected Data is any data that contains Personally Identifiable Information (PII) or Personal Data concerning any individual. Fordham Protected data includes data regulated by local, state, Federal, the European Union (EU), or other statutes/agreements. These regulations may include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI DSS)
- General Data Protection Regulation (GDPR)
- Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Fordham Protected Data is also designated or described by voluntary industry standards or best practices concerning protecting such data that the University chooses to follow.
Fordham Sensitive Data is based on departmental/internal standard operating procedures (e.g., budgets, payroll, or properties that Fordham may be interested in purchasing).
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Personal Data is any information relating to a natural person (data subject) that can directly or indirectly identify that person. Examples include a name, an identification number, location data (e.g., mailing address, IP address), an online identifier (e.g., cookies), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The GDPR does not apply to data rendered anonymous (individuals cannot be identified from the data) or pseudonymous (provided that the "key" that enables the re‑identification of individuals is kept separate and secure).
Personally Identifiable Information is information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date, and place of birth, mother's maiden name, any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information, driver's license number or non-driver identification card number, account number, credit, or debit card number in combination with other identifiable data, biometric information such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation, and username or email address in combination with a password or security question.
Public Data may be disclosed to any person regardless of affiliation with the University. It is data that does not contain PII or Personal Data concerning any individual, not Fordham Protected data or Fordham Sensitive data.
Related Policies and Procedures
- Data Classification Guidelines
- Data Standards Manual
- Family Educational Rights and Privacy Act (FERPA) Policy
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
- Merchant Credit Card Acceptance Policy
- Privacy Policy
- Third-Party Data Transfer Policy
Implementation Information
| Review Frequency | Annual |
|---|---|
| Responsible Person | Senior Director of IT Security and Assurance |
| Approved By | CISO |
| Approval Date | June 12, 2019 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.1 | 01/15/2016 | Supersedes January 1, 2012 |
| 1.2 | 06/12/2019 | Policy statement update, definition changes |
| 2.0 | 07/15/2020 | Policy name change, policy statement update, purpose statement update, definition changes, added SHIELD Act |
| 2.1 | 07/26/2021 | Updated purpose statement |
| 2.2 | 07/26/2022 | Updated policy statement |
| 2.3 | 05/30/2023 | Updated definitions |
| 3.0 | 08/30/2023 | Updated policy statement, definitions, disclaimer, and links |
| 03/19/2024 | Updated links |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.