1. Purpose

    This standard establishes the required classification of all university data stored on university resources or other resources where university business occurs. Data owners, stewards, and custodians are to assess information systems to determine what level of security is required to protect data from unauthorized use including but not limited to acquisition, access, disclosure, retention, and disposal on the systems for which they are responsible. For the purposes of this standard, the terms "data," "information," and "records" are synonymous.
  2. Scope

    This applies to University data in typed, printed, written, electronic, and/or verbal formats regardless of how data are communicated, how data are transmitted, and/or whether data are saved to storage media (hard drives, DVD/CDs, USB/Thumb drives, etc.).
  3. Standard

    University data are classified as either:
    1. Confidential Data (Category I)
      1. University data protected specifically by federal or state law or Winston-Salem State University rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the North Carolina Identity Theft Statute; specific donor and employee data).
      2. University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.).
      3. Examples of Information
        1. Social Security Numbers
        2. Credit Card Info
        3. Personal Health Info
        4. Student Records
        5. Crime Victim Information
        6. Library Transactions
        7. Court Sealed Records
        8. Access Control Credentials
    2. Controlled Data (Category II)
      1. University data not otherwise identified as Category-I data, but which are releasable in accordance with the North Carolina Public Records Statute (e.g., contents of specific e-mail, date of birth, salary, etc.) such data must be appropriately protected to ensure a controlled and lawful release.
      2. Examples of Information
        1. Performance Appraisals
        2. Employee Dates of Birth
        3. Employee Email Addresses
        4. Donor Information
        5. Voicemail
        6. Contents of Email
        7. Unpublished Research
    3. Public Data (Category III)
      1. University data not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
      2. Examples of Information
        1. Job Postings
        2. Service Offerings
        3. Published Research
        4. Directory Information
        5. Degree Programs
        6. General information about University products and services
    4. Confidential and Controlled Data will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the University, result in financial loss, or violate law, policy or University contracts.
  4. Roles of Responsible Personnel for Classified Data Sets

    The University senior administration delegates the authority to manage owned electronic assets to the appropriate levels of management. These managers have a responsibility to provide or assign stewardship over these assets directly. The roles of responsible personnel involved in the security framework for classified information sets are:
    1. Owner

      Data Owners are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University.
    2. Steward

      Data stewards are University officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access and policy implementation issues.
    3. Custodian

      The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data owners or their designees (usually the data stewards), and implementing and administering controls over the information.
    4. User

      In respect to data, Users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.