3.8.3 Information Management Policy
All University information must have an associated Information Administrator (IA) who is responsible for its proper management and security, including its appropriate classification.
Information, like other assets, must be properly managed during its lifecycle, from its creation, during authorized use, to proper disposal. As with other assets, not all information has the same use or value, and therefore requires different levels of protection. Just as it is unwise to underprotect a very sensitive document, it is expensive and wasteful to overprotect non-sensitive information. This policy is intended to require appropriate controls for the management of University information resources.
All information will have an Information Administrator (IA) established who will be responsible (perhaps through delegation) for assigning the initial information classification, and who will make all of the decisions (perhaps through delegation) regarding controls, access privileges of Users, retention requirements and daily decisions regarding information management pertaining to that particular information. The Information Security Analyst (ISA) can provide a periodic high-level impact analysis on the information to determine its relative value, risk of compromise, possible legal issues, etc. Based on common sense or the results of an assessment, information should be classified into one of the information classifications discussed below.
The classification will inform the Information Administrator and the Information Security Analyst, and help determine the appropriate level of protection of the information and its associated application software commensurate with the value of the information in that classification. It is important that controls be designed and implemented for both the information and software. It is not sufficient to classify and control information alone. The software, and possibly the hardware, on which the information and/or software reside, must also have proportionate controls for the classification of information that the software manipulates. The Information Administrator is responsible for determining the classification of the information. Working with the Information Security Analyst and the application development team, appropriate controls for the information, software, and possibly the hardware must be developed.
Information may be classified according to its value, sensitivity, or risk of loss or compromise. The Information Administrator, who may be advised by the Information Security Analyst, determines the classification levels. The classification level helps determine the degree of security standards to be applied and followed by the Information Administrators, Security Administrators, Information Brokers, and Information Users.
The three levels generally used to classify University information are:
- Public Information
- Restricted Access Information
- Confidential Information
1. Public Information
Public Information is any information prepared, owned, used or retained by the University for the purpose of public release and which is not specifically exempt from the disclosure requirements of law.
Generally, only documents specifically created for the public, (e.g., press releases, brochures), are considered public information. Release of “public” documents should not impair the University’s ability to fulfill its mission, nor should such release damage the reputation. All other information should be classified as Restricted Access or Confidential. Any unclassified information should be assumed to be at least Restricted Access, and be accordingly protected until the proper information classification can be determined and verified.
Examples of Public Information could include but are not limited to:
- Published University marketing brochures
- Published curriculum information
- Public notices of University public events such as concerts and sporting events
- Employment opportunity bulletins
- University approved Internet web site information
2. Restricted Access Information
The controlling factors for Restricted Access Information are those of confidentiality and integrity. This type of information requires protection from disclosure or alteration by unauthorized persons. Restricted Access Information is restricted to individuals who have been authorized for that information. In most cases access will be limited to specifically authorized University faculty, staff and students. This classification allows access by non-University Users (such as prospective students or vendors) when authorized by the appropriate Information Administrator.
The sensitive nature of some types of Restricted Access information may be difficult to recognize because it is often integrated into daily work and/or course assignments or may be handled by a number of Users. Other types of Restricted Access information may appear to be more obviously sensitive because they have a rather restricted audience. Either way, it is important to maintain the confidentiality and integrity of this information, regardless of whether it is maintained in a paper or electronic form.
Examples of Restricted Access Information could include but are not limited to:
- University course materials, including on-line media where materials should be restricted rather than public **.
- Extended education and online course materials **.
- Prospective student status information accessible to that student.
- Administrative information exchanged with vendors using electronic protocols.
- Research studies being performed in association with other universities **.
- Student and registration information accessible online to that student.
- University organizational charts and job descriptions.
- Approved and widely communicated University business plans.
- Curricula changes or graduation requirements prior to approval.
- University Policy or Procedure Manuals.
- Reports, files or working papers concerning daily academic and administrative activities **.
- Financial statements prior to public announcement or release.
- Travel plans of University faculty or staff.
- Information pertaining to strategic business decisions such as college expansion, new academic programs being considered, etc.
** This policy is to be interpreted to be consistent with the University’s Intellectual Property Policy.
3. Confidential Information
Confidential Information is the strictest data classification used by the University and requires maximum control. Depending on the nature or contents of the Confidential Information, disclosure or alteration of this type of information could cause great harm to an employee, student or the University. Confidential Information requires safeguarding, either due to the requirements of law or because of the mandates of prudent and reasonable practices. Access to Confidential Information is limited to specifically authorized individuals of the University and denied to all others, unless and until directed by an officer of the University and upon advice of legal counsel of the University.
Examples of Confidential Information include but are not limited to:
- Employee Medical Records
- Student information such as grades, medical information, etc.
- Student and employee Social Security Numbers
- Payroll data
- Administratively maintained employee data such as residence address information, employment history, performance reviews, etc.
- Alumni and donor information.
- Patient records.
There is a need to establish management responsibility and accountability for University Information resources. Unauthorized release or alteration of Restricted Access or Confidential information could have many consequences, ranging from the mundane loss of productivity to extremely serious legal consequences. The compromise of any classified information has the potential to impair the University’s ability to competently and efficiently implement its mission. Release or alteration of medical records could discredit the University’s reputation.