SKIP TO PAGE CONTENT

Data Classification Standard

~

During the 87 th State Legislative session, SB 475 required the appointment of agency  data management officers . From the state chief data management officer’s website:

With the passing of Senate Bill (SB) 475 during the 87th Legislative session, there is continued emphasis on data governance and management for state agencies and institutions of higher education. SB 475 requires the appointment of a designated data management officer for agencies above the threshold of 150 full time employees.

Data Management Officer: 

Matthew Lauterbach
Director of DevSecOps & Data Management Officer
Information Technology
West Texas A&M University
mlauterbach@wtamu.edu
806-651-1240

 

Section 1. Purpose

Data classification is a system for organizing information and resources based on the sensitivity and potential impact of the data they contain. This system can help units distribute resources, prioritize the selection and placement of security controls, and ensure that systems containing sensitive information meet basic security standards. In classifying data, the West Texas A&M University:

  • Uses a risk-based approach to help information resource owners and users identify the data they use, understand its level of sensitivity, and learn how to secure it best.
  • Seeks to balance protecting the confidentiality, integrity, and availability of 'university data,' recognizing the need for collaboration and sharing of knowledge across campus and the world.

Section 1. Applicability

The data classifications listed in these controls apply to all West Texas A&M University data, regardless of its origin or location. This includes stored, processed, or transmitted data on any information resources used for university business. This covers all university-owned information resources and resources managed by state agencies or third-party entities such as business associates, cloud service providers, vendors, or contractors.

Section 1. Implementation

  1. It is the responsibility of anyone who has university data in their possession or under their direct control to ensure that appropriate risk mitigation measures are in place to protect such data from unauthorized exposure.
  2. In coordination with information resource owners, the university ISO is responsible for developing and publishing a set of controls that addresses the classification and management of university data.
  3. When a specific set of data is classified as fitting within a combination of two or more of the data classifications, that data shall be managed according to the more restrictive classification.
  4. Under this data classification model, data is classified in accordance with federal and state regulations, System standards, and other contractual requirements. This data classification model does not supersede any state or federal government classifications.
  5. West Texas A&M University data shall be classified into one of three classification levels, each of which implies an increasing level of sensitivity and subsequently requires increasingly strict security controls:
  • Public​. Data that is openly available to the public. Few restrictions are placed on this type of data.
  • University-Internal. Data that may be accessed by eligible employees in the course of university business. This data may be releasable to the public upon request but requires protection and evaluation to ensure lawful release.
  • Confidential​. Data that is restricted because of legal, ethical, or other constraints and may not be accessed without specific authorization. Improper release would have a significant adverse impact on the university and may be subject to notification requirements.
~

Section 2. Roles & Responsibilities

West Texas A&M University data is not owned by a single individual but is a university asset that is owned by the institution and entrusted to appropriate individuals for their care. Understanding these roles and their relationship to the data they oversee is critical for ensuring good governance of university data. This is true of all types of university data, including research data, unless a legally binding agreement exists with different terms and conditions. The roles and responsibilities described in this control apply to all individuals who handle university data, regardless of their relationship to the university. This includes but is not limited to, students, employees, affiliates of the university, and third parties (e.g., business associates, cloud service providers, vendors, or contractors).

Section 2. Implementation

Individuals interact with university data through four roles:  data stewardmanagercustodian, or  user . Each of these roles has a unique set of responsibilities with regard to the data under their care. Individuals may simultaneously hold multiple roles, even for the same dataset. The university–defined role of Data Steward corresponds to the state–defined role of Information Owner as found in Texas Administrative Code §202.1.

Section 2. A Data Steward describes an individual with a role title for representing information—usually for a specific information type, business sector, or business function—for university-wide information governance purposes. Data stewards are institutional officers who have management and policy-making authority over their specific data subject areas, including the business definitions of data and the access and use of that data across the university. An example of a Data Steward in the student data domain is the University Registrar; an example in the financial/budget data domain is the VP for Business & Finance/CFO. Data Stewards are responsible to:

  1. Ensure that information systems that store or process university data comply with university security controls and all applicable federal and state regulations.
  2. Periodically review the data under their care to ensure the classification remains accurate.
  3. Provide a complete and accurate inventory of the data under their care, including any information resources storing it, to Information Technology Services.
  4. Remediate or mitigate risks related to data under their care identified through the annual information security risk assessment process.
  5. Report any known or suspected instances of inappropriate access or unauthorized disclosure to the Information Security Officer in accordance with the requirements described in Incident Response.
  6. Appoint Data Managers for their data subject areas.

Section 2. Data Managers are responsible for the quality and integrity of a defined dataset daily. Data Managers evaluate and authorize requests for access to the data and are responsible for protecting the data from misuse or mismanagement. Data Managers are assigned these responsibilities by a Data Steward over a particular data domain and may act as a delegate of the Data Steward for routine purposes. An example of a Data Manager in the student data domain is the manager of a college advising office; an example of a Data Manager in the research data domain is the Principal Investigator of a sponsored research grant. Data Managers are responsible to:

  1. Ensure that information systems that store or process university data remain compliant with university security controls and all applicable federal and state regulations.
  2. Maintain a complete and accurate inventory of the data under their care to ensure the classification remains accurate, including any information resources storing that data.
  3. Establish procedures to protect the quality and integrity of assigned datasets.
  4. Evaluate and authorize (or deny) requests for access to assigned datasets.
  5. Advise the Data Steward regarding appropriate procedures for data management.
  6. Ensure that known or suspected instances of inappropriate access or unauthorized disclosure are reported to the Data Steward and the ISO in accordance with the requirements described in Incident Response.
  7. Identify data recovery objectives for assigned datasets in accordance with risk management decisions.
  8. Coordinate with Data Custodians to implement security controls required by the West Texas A&M Controls Catalog.
  9. Delegate authority to Data Custodians as appropriate for data administration

Section 2. Data Custodians are typically information technology professionals who manage the information systems that store and process university data. Data Custodians develop and implement technology infrastructure to support the functional needs of a data domain and implement technical security controls to ensure the confidentiality, integrity, and availability of the data under their care. Data Custodians are responsible to:

  1. Assist Data Stewards and Data Managers in classifying university data and information resources according to the university data classification standards.
  2. Identify or assist Data Managers in identifying information resources containing university data.
  3. Implement security controls required by the West Texas A&M Controls Catalog.
  4. Follow system monitoring procedures described in Audit and Accountability.
  5. Follow incident reporting guidelines as described in Incident Response.
  6. Ensure university data is recoverable by risk management decisions.

Section 2. A Data User refers to any individual (student, employee, or affiliate of the university) who interacts with university data. Data Users are responsible to:

  1. Access university data only in the course of official university business and in ways consistent with the university’s mission.
  2. Only disclose or release university data to others as required by their job responsibilities, under the direction of a Data Manager.
  3. Respect the confidentiality and privacy of individuals whose records they may access.
  4. Promptly report any known or suspected instances of inappropriate access or unauthorized disclosure of university data to a Data Custodian, Data Manager, or Data Steward or directly to the Information Technology Services at itsc@wtamu.edu.
~

Section 3. Public Data

Public data is the lowest data classification level and includes publicly available data. This may include low-sensitivity data, which is openly distributed and presents no risk to the university, such as official university communications and public announcements. Most data hosted on publicly accessible websites falls into this classification level. Few restrictions are placed on this type of data. Examples of Public data include, but are not limited to:

PERSONAL DATA

  • Public directory information for employees and/or departments.
  • Directory information for students who have not requested a FERPA block.
  • Intercollegiate sports information (team rosters, schedules, etc.).

RESEARCH DATA

  • Research publications not under embargo.

ADMINISTRATIVE DATA

  • Data intended for distribution on a publicly accessible website.
  • Official university communications and public announcements.

Section 3. Implementation

Section 3.1 ACCESS

  1. Access to Public data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.
  2. Individuals authorized to post information onto a publicly accessible information resource must be designated by the Data Steward or a Data Manager and trained to ensure the posted data does not contain nonpublic data.
  3. Data posted to a publicly accessible information resource must be reviewed periodically to ensure that nonpublic data is not included and to remove any nonpublic data if found.

Section 3.2 STORAGE

  1. The impact level of the resources should be carefully considered for all information resources that store or process Public information. Moderate and high-impact information resources must reside in a West Texas A&M enterprise data center.
  2. There are no requirements for the encryption of public data at rest.

Section 3.3 TRANSMISSION

  1. There are no requirements for the encryption of public data in transit.

Section 3.4 MONITORING

  1. Information systems containing Public data should enable effective logging and monitoring of system and security events.

Section 3.5 INCIDENT REPORTING

  1. Any known or suspected instance of unauthorized access or use of public data must be reported to the University ISO.

Section 3.6 DISPOSAL

  1. Information resources containing public data must be sanitized prior to disposal or surplus.
~

Section 4. University-Internal Data

University-Internal data is information that may be accessed by eligible employees in the course of university business. This information is not generally created for or made available for public consumption, but it may be subject to public disclosure through the Texas Public Information Act or similar laws. Such data must be appropriately protected to ensure lawful release. Examples of University-Internal data include, but are not limited to:

PERSONAL DATA

  • Standalone employee information that is not paired with another personal identifier (not defined as Sensitive Personal Information by Texas Government Code §521.002).
  • Personal contact information (email address, telephone number, etc.).

FINANCIAL DATA

  • University budget information

RESEARCH DATA

  • General research information.
  • Certain types of data associated with research activities but outside the definition of research data: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues.
  • Patent applications and work papers.

ADMINISTRATIVE DATA

  • Non-public administrative or operational data (e.g., employee evaluations, asset listings, and locations, emergency contact information, etc.).
  • Building plans and information about the university's physical plan.
  • Unit internal policies, procedures, and/or standards.
  • Internal meeting information, working notes or documents.
  • Proprietary training materials.

Section 4. Implementation

Section 4.1 ACCESS

  1. Access to University-Internal data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.
  2. Any University-Internal data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

Section 4.2 STORAGE

  1. For all information resources that store or process University-Internal information, the impact level of the resources should be carefully considered. Moderate and high-impact information resources must reside in a West Texas A&M data center.
  2. There are no requirements for the encryption of University-Internal data at rest.

Section 4.3 TRANSMISSION

  1. University-Internal data must be encrypted in transit.
  2. University-Internal data transmitted in an email message must be encrypted.

Section 4.4 MONITORING

  1. Information systems containing University-Internal data must enable effective logging and monitoring of system and security events.

Section 4.5 INCIDENT REPORTING

  1. Any known or suspected unauthorized disclosure of University-Internal data must be reported to the University ISO.
  2. Any known or suspected instance of unauthorized access or use of University-Internal data must be reported to the University ISO.

Section 4.6 DISPOSAL

  1. Information resources containing University-Internal data must be sanitized prior to disposal or surplus.
~

Section 5. Confidential Data

This classification level is used for data that is restricted because of legal, ethical, or contractual constraints and should not be accessed without specific authorization. Improper release of data in this category would have a significant adverse impact on the university. Data in this category is often specifically protected by federal or state law and may be subject to state or federal breach notification requirements. Data in this category is generally not subject to release under open records laws. Examples of confidential data include, but are not limited to:

PERSONAL DATA

  • Student information is covered under the Family Educational Rights and Privacy Act (FERPA).
  • Sensitive personal information as defined by Texas Government Code §521.002
  • Government-issued identification numbers (e.g., SSN, driver's license, passport numbers)

HEALTH DATA

  • Protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Personal health records not otherwise covered under HIPAA (e.g., HR records for individuals with disabilities)

FINANCIAL DATA

  • Individual financial information subject to Gramm-Leach-Bliley Act (GLBA)
  • Data that falls under the European Union General Data Protection Regulation (GDPR)
  • Financial records, including account numbers (e.g., bank account numbers, debit or credit card numbers) and tax records

RESEARCH DATA

  • Export controlled information covered under the International Traffic in Arms Regulation (ITAR) or Export Administration Regulations (EAR)
  • Human subject data and IRB-controlled research data

ADMINISTRATIVE DATA

  • Records pertaining to information security processes and protocols.
  • Authentication credentials or verifiers (e.g., passwords, passphrases, biometric information, private encryption keys, etc.)
  • Research Compliance & Administration records (contracts, grants, IRB documentation)
  • Recordings or data from surveillance cameras.

Section 5. Implementation

Section 5.1 ACCESS

  1. Access to Confidential data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.
  2. Access to Confidential data must be granted only by explicit authorization. Documentation of that authorization shall be maintained by the Data Steward or a Data Manager.
  3. Access to Confidential data must be managed, monitored, and logged.
  4. Access logs should be available for auditing and review and retained for a time sufficient to support investigations of information security events.
  5. Any mobile computing device containing Confidential data must be protected from unauthorized access by passwords or other means.
  6. Multifactor authentication is required to access Confidential data across the network.
  7. Any Confidential data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

Section 5.2 STORAGE

  1. All information resources that store or process confidential information are defined as moderate impact resources at a minimum. Those information resources must reside in a West Texas A&M enterprise data center.
  2. Confidential data must be encrypted in storage.
  3. Any removable computer media containing Confidential data must be encrypted.
  4. Computer media containing Confidential data must be protected prior to release to a third party.
  5. Unattended devices containing Confidential data must be kept physically secured.
  6. Any information resource containing Confidential data must be encrypted, updated, and protected with anti-virus software and a personal firewall—even personally owned equipment.
  7. Information resources containing Confidential data must implement a documented change control process

Section 5.3 TRANSMISSION

  1. Confidential data must be encrypted in transit.
  2. Confidential data transmitted in an email message must be encrypted.

Section 5.4 MONITORING

  1. Information systems containing Confidential data must enable effective logging and monitoring of system and security events.
  2. Security logs must be protected from tampering and unauthorized access.
  3. Security logs must be retained for a time sufficient to support investigations of security events.
  4. Information resources containing Confidential data must use data loss prevention software that is provided and managed by the Technology Services.

Section 5.5 INCIDENT REPORTING

  1. Any known or suspected unauthorized disclosure of Confidential data must be reported to the ISO.
  2. Any known or suspected instance of unauthorized access or use of Confidential data must be reported to ISO.

Section 5.6 DISPOSAL

Information resources containing Confidential data must be sanitized prior to disposal or surplus.
~

Related Documents:

  1. 29-01-99-W1-Information-Resources-230831.pdf (wtamu.edu)
  2. Information Security Controls Catalog (wtamu.edu)
  3. Family Educational Rights and Privacy Act (FERPA) | WTAMU
  4. Patient Rights and Confidentiality | WTAMU
  5. Gramm Leach Bliley Act (wtamu.edu)
  6. General Data Protection Regulation | WTAMU
  7. PCI-DSS
  8. Data Sharing Best Practices
  9. Classifying Data with Sensitivity Labels
  10. TAMUS Artificial Intelligence Guidelines

Phone
Twitter
Facebook
Instagram
Mail