Facebook pixel Data Classification

Data Classification

Data classification is applying definitions to institutional data to facilitate risk management and resource prioritization. The College can proactively manage risk and outcomes by identifying data whose exposure, loss, or unauthorized modification would lead to significant impact for the institution. These impacts take the form of financial, reputational, and personnel costs.

Definitions

Information Owner/Steward

The information owner/steward is an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. In information-sharing environments, the information owner/steward is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retains that responsibility even when the information is shared with or provided to other organizations. At STLCC, information owners and stewards are administrators and directors in data domains that are subject to statutory compliance.

Information System Owner

The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The information system owner is responsible for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements) and for ensuring compliance with information security requirements. In coordination with the information system security officer, the information system owner is responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security controls. In coordination with the information owner/steward, the information system owner is also responsible for deciding who has access to the system (and with what types of privileges or access rights) and ensures that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior).

Data Classification Levels

St. Louis Community College classifies data into three categories: High Risk, Moderate Risk, and Low Risk.

High Risk

Data and systems are classified as High Risk if there are statutory requirements governing its disclosure to third parties. Legal or contractual frameworks exist that outline the steps necessary to protect this data. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on the college’s mission, safety, finances, or reputation.

Examples

  • Credit Card numbers and CCV codes
  • Bank account numbers/Direct Deposit information
  • Personally identifiable information (PII)
  • Social security numbers
  • Student course schedules
  • Student grade reports and transcripts

Missouri legislation defines personal information as an individual's first name, or first initial, and last name in combination with a data element that has not been encrypted, redacted or otherwise made unreadable or unusable. Data elements include an individual's social security number, driver's license number or other unique identifier created or collected by a government body, financial account numbers with access passwords, unique electronic identifiers and required codes that would permit access to a financial account, medical information, or health insurance information.

Moderate Risk

Data and systems are classified as Moderate Risk if the data is intended only for internal college use. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on the college’s mission, safety, finances, or reputation.

Examples

  • Research data
  • Security information
  • Employment data
  • Home phone numbers and home addresses
  • Spouse’s or other relatives’ names
  • Citizenship information
  • Birth date

 Low Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk or the data is intended for public disclosure. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the college’s mission, safety, finances, or reputation.

Examples

  • Campus maps
  • Staff and student directory information
  • MySTLCC IDs
  • Job postings
  • Policies and procedures

Applying Data Classification

Information owners and stewards determine classification levels. Data stores should be classified based on the highest sensitivity data that they contain. The Federal Information Processing Standards publication 199 (“FIPS 199”) published by the National Institute of Standards and Technology (NIST) outlines how to apply data classification through impact data confidentiality, integrity, and availability. As impact escalates, so too does data classification.

 

Back to top