Skip to main content

Data Classification Policy

Version 1.2

Purpose

The purpose of this policy is to establish a framework for classifying institutional data based on its level of sensitivity, value, and criticality to the University. Classification of data will aid in determining baseline security controls for the protection of data.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • University-wide data classification is assigned only by the Office of the President, the Enrollment Management, Academic Affairs, Office of Legal Counsel, or Institutional Research. 
  • All University data must be classified into one of three sensitivity classifications after the creation or acceptance of ownership by the University: Fordham Protected data, Fordham Sensitive data, or Public data.
  • Data classification will aid in determining baseline security controls for the protection and use of data in order to ensure:
    • The University’s statutory, regulatory, legal, contractual and privacy obligations are met;
    • The University’s proprietary data is kept confidential to the institution as required;
    • Data is appropriately available for internal decision making as required;
    • Government and regulatory agency reporting is conducted in accordance with any legislative, regulatory and legal requirements; and
    • Appropriate data and information are shared with the necessary safeguards to third parties.
  • If data is created jointly by more than one department, all involved departments will cooperatively classify the data. If the departments are unable to agree on the classification, the data is classified as Fordham Sensitive data and remains designated as Fordham Sensitive data until the data owners reach an agreement to reclassify the data or until an administrator with authority establishes the classification.
  • Data owners must assess the level of risk according to the magnitude of harm and the probability that harm will occur should the data be lost, stolen, or accessed by unauthorized parties.
  • Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, the transmission of, and disposal of University data in compliance with this and related policies.
  • Fordham Protected data requires the highest level of protection. All other data is classified as Fordham Sensitive data by default.

Definitions

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization.

Fordham Protected data is any data that contains Personally Identifiable Information (PII) or Personal Data concerning any individual. Fordham Protected data includes data that is regulated by local, state, Federal, the European Union (EU), or other statutes/agreements. Fordham Protected data is designated or described by voluntary industry standards or best practices concerning the protection of such data that the University chooses to follow. These regulations may include, but are not limited to:

Family Educational Rights and Privacy Act (FERPA)

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry Data Security Standards (PCI DSS)

General Data Protection Regulation (GDPR)

Fordham Sensitive data is based on departmental/internal standard operating procedures (e.g., budgets, payroll, or properties that Fordham may be interested in purchasing).

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Personal Data is any information relating to a natural person (data subject), that can directly or indirectly identify that person. Examples include a name, an identification number, location data (e.g., mailing address or IP address), an online identifier (e.g., cookies) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR does not apply to data rendered anonymous (individuals cannot be identified from the data) or pseudonymous (provided that the “key” that enables re‑identification of individuals is kept separate and secure).

Personally Identifiable Information (PII) is information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date, place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Public data may be disclosed to any person regardless of their affiliation with the University. It is data that does not contain PII or Personal Data concerning any individual, is not Fordham Protected data or Fordham Sensitive data.

Implementation Information

Review Frequency Annual
Responsible Person Director, IT Risk and Data Integrity
Approved By CISO
Approval Date June 12, 2019

Revision History

Version Date Description
1.1 01/15/2016 Supersedes January 1, 2012
1.2 06/12/2019 The policy statement, definition changes

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.