IT Guideline for High Risk Data
Data and systems are classified as High Risk if there are statutory requirements governing its disclosure to third parties. Legal or contractual frameworks exist that outline the steps necessary to protect this data. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on the college’s mission, safety, finances, or reputation.
Scope
This guideline applies to all St. Louis Community College information resources and users of STLCC information resources.
Guideline
High-risk data shall be collected for only specified, explicit, and legitimate purposes. Any collection of high-risk data limited to what is necessary and adequate for the intended purpose.
High-risk data shall be protected in a way that reduces the likelihood of unauthorized access and modification. The following protections are required, unless there is a documented exception for a legitimate business need, approved by College administration:
- Electronic storage of high-risk data shall be encrypted.
- Transmission of high-risk data shall be encrypted.
- Systems storing and/or transmitting high-risk data must comply with the IT standard for securing high-risk systems.
- Exchanging high-risk data with third-parties must be governed by a contractual agreement outlining security responsibilities that has been approved by General Counsel.
- High-risk data shall not be stored on removable media (USB, thumb-drives, CDs, DVDs, etc.) except as required by law. When required by law, high risk data on removable media shall be encrypted.
- High-risk data shall only remain on systems if required by law or required for a legitimate business purpose. When no longer necessary, high-risk data must be removed and/or destroyed.
- High-risk data shall not be transmitted over email or other electronic messaging systems unless required by law. When required by law, high risk data in email and electronic messaging systems shall be encrypted.
- High-risk data shall be altered or randomized in testing, and research and development environments.
- Access to high-risk data on print media shall be restricted to individuals with a legitimate business need to know.
- Media (electronic, or physical) containing high-risk data that is leaving the institution’s control must be destroyed in accordance with NIST Special Publication 800-88 “Clear” standards as a minimum safeguard.