Data Classification and Security Policy
Chapter 3433
Issued: 08/2009
Revised/Reviewed: 01/2023, 05/2024
Table of Contents
.010 Purpose
.020 Scope
.030 Effective Date
.040 Authority
.050 Policy
.052 Data Classification Schema
.054 Data Security Standards
.056 Contracts with Third Parties
.060 Definitions
.070 Roles and Responsibilities
.090 Related Laws, Regulations, or Policies
.100 Questions/Waivers
.010 Purpose
Data and information are important assets of the university and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.
.020 Scope
This policy applies to all university colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization associated with the University that uses university information technology resources to create, access, store, or manage University Data to perform their business functions. It also applies to any third party vendor creating, storing, or maintaining University Data per a contractual agreement.
.030 Effective Date
This policy became effective on February 2, 2009
All new systems designed and implemented after September 1, 2009, must comply with the security standards in section .054 below. Data stewards must have a compliance plan for all systems with confidential data by January 1, 2011.
.040 Authority
The State of Kansas, ITEC Information Technology Security Standards Policy 7230A, Section 11 Data Protection Standard (PDF), requires state agencies, including Regents' institutions, to employ mechanism(s) to ensure the confidentiality, availability, and integrity of Restricted-Use Information.
.050 Policy
All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. This policy applies to data in all formats or media.
.052 Data Classification Schema
Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise; data with lower risk require proportionately less protection. Three levels of data classification will be used to classify University Data based on how the data are used, its sensitivity to unauthorized disclosure, and requirements imposed by external agencies.
Data are typically stored in aggregate form in databases, tables, or files. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. For example, a student information system will contain a student's directory information as well as their social security number. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
K-State Data Classifications
- Public - Data explicitly or implicitly approved for distribution to the public without restriction. It can be freely distributed without potential harm to the University, affiliates, or individuals. Public data generally have a very low sensitivity since by definition there is no such thing as unauthorized disclosure, but it still warrants protection since the integrity of the data can be important. Examples include:
- K-State's public web site.
- Directory information for students, faculty, and staff except for those who have requested non-disclosure (e.g., per the Family Educational Rights and Privacy Act (FERPA) for students).
- Course descriptions.
- Semester course schedules.
- Press releases.
- Internal - Data intended for internal University business use only with access restricted to a specific workgroup, department, group of individuals, or affiliates with a legitimate need. Internal data are generally not made available to parties outside the K-State community. Unauthorized disclosure could adversely impact the University, affiliates, or individuals. Internal data generally have a low to moderate sensitivity. Examples include:
- Financial accounting data that does not contain confidential information.
- Departmental intranet.
- Information technology transaction logs.
- Employee ID number ("W0...").
- Student educational records.
- Directory information.
- Confidential- Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. Unauthorized disclosure could have a serious adverse impact on the business or research functions of the University or affiliates, the personal privacy of individuals, or on compliance with federal or state laws and regulations or University contracts. Confidential data have a very high level of sensitivity. Examples include:
- Social Security Number.
- Student ID number (if it is the same as the Social Security Number).
- Credit card number.
- Personal identity information (PII). K.S.A. § 21-6107: Crimes involving violations of personal rights defines PII as including, but not limited to: an individual's name; date of birth; address; telephone number; driver's license number or card or nondriver's identification number or card; social security number or card; place of employment; employee identification numbers or other personal identification numbers or cards; mother's maiden name; birth, death or marriage certificates; electronic identification numbers; electronic signatures; and any financial number, or password that can be used to access a person's financial resources, including, but not limited to, checking or savings accounts, credit or debit card information, demand deposit or medical information. For K-State's purposes, PII also includes ones name in combination with a passport number.
- Passport number.
- Personnel records.
- Medical records.
- Authentication tokens (e.g., personal digital certificates, passwords, biometric data).
- Proprietary Data - Classification of data provided to or created and maintained by K-State on behalf of a third party, such as a corporation or government agency, will vary depending on contractual agreements and/or relevant laws or regulations. The classification and security standards for proprietary data owned by the third party will be defined by the third party. Proprietary data owned by K-State must be classified and protected according to K-State's data classification policy and security standards. Individuals managing or accessing proprietary data are responsible for complying with any additional requirements and security policies and procedures specified by the third-party owner. Proprietary data include data classified by the federal government as Classified National Security Information (confidential, secret, top secret).
.054 Data Security Standards
The following table defines required safeguards for protecting data and data collections based on their classification. Data security requirements for Proprietary Data are determined by the contracting agency and are therefore not included in the table below.
In addition to the following data security standards, any data covered by federal or state laws or regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.
Security Control Category | Data Classification | ||
---|---|---|---|
Public | Internal | Confidential | |
Access Controls |
|
|
|
Copying/Printing (applies to both paper and electronic forms) |
|
|
|
Network Security |
|
|
|
System Security |
|
|
|
Virtual Environments |
|
|
|
Physical Security |
|
|
|
Remote Access to systems hosting the data |
|
|
|
Data Storage |
|
|
|
Transmission |
|
|
|
Backup/Disaster Recovery |
|
|
|
Media Sanitization and Disposal (hard drives, CDs, DVDs, tapes, paper, etc.) |
| ||
Training |
|
|
|
Audit Schedule |
|
|
|
.056 Contracts with Third Parties
Contracts between the University and third parties involving University Data must include language requiring compliance with all applicable laws, regulations, and University policies related to data and information security; immediate notification of the University if University Data is used or disclosed in any manner other than allowed by the contract; and, to the extent practicable, mitigate any harmful effect of such use or disclosure.
.060 Definitions
- ACL
- Access Control List; a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall but with less functionality.
- Authentication
- Process of verifying one's digital identity. For example, when someone logs into Webmail, the password verifies that the person logging in is the owner of the eID. The verification process is called authentication.
- Authorization
- Granting access to resources only to those authorized to use them.
- Availability
- Ensures timely and reliable access to and use of information.
- Classified National Security Information
- Information that has been determined by the federal government to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form. There are three classifications - confidential, secret, and top secret (see White House Press Release: Classified National Security Information).
- Confidentiality
- Preserves authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Firewall
- A specialized hardware and/or software system with stateful packet inspection that filters network traffic to control access to a resource, such as a database server, and thereby provide protection and enforce security policies. A router with ACLs is not considered a firewall for the purposes of this document.
- IDS
- Intrusion Detection System; a system that monitors network traffic to detect potential security intrusions. Normally, the suspected intrusions are logged and an alert generated to notify security or system administration personnel.
- Integrity
- Guards against improper modification or destruction of information, and ensures non-repudiation and authenticity.
- IPS
- Intrusion Prevention System; an IDS with the added ability to block malicious network traffic to prevent or stop a security event.
- Local Network
- Any segment of K-State's data network physically located on the Manhattan or Salina campus with an IP address starting with 129.130.X.X or an un-routable private IP address (e.g., 10.X.X.X).
- Remote Access
- Accessing any K-State's local network from any physical location outside the Manhattan or Salina campus. This includes access from off campus using K-State's VPN service.
- Secure Data Center
- A facility managed by full-time IT professionals for hosting computer, data storage, and/or network equipment with 24x7 auditable restricted access, environmental controls, power protection, and network firewall protection.
- Secure Server
- a computer that provides services to other computers, applications, or users; is running a server operating system; and is hardened according to relevant security standards, industry best practices, and K-State security policies.
- Sensitivity
- Indicates the required level of protection from unauthorized disclosure, modification, fraud, waste, or abuse due to potential adverse impact on an individual, group, institution, or affiliate. Adverse impact could be financial, legal, or on one's reputation or competitive position. The more sensitive the data, the greater the need to protect it.
- University Data
- Any data related to Kansas State University ("University") functions that are:
- Stored on University information technology systems.
- Maintained by K-State faculty staff, or students.
- Related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
- VPN
- Virtual Private Network; a VPN provides a secure communication channel over the Internet that requires authentication to set up the channel and encrypts all traffic flowing through the channel.
.070 Roles and Responsibilities
Everyone with any level of access to University Data has responsibility for its security and is expected to observe requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data in any type of reporting function. The following roles have specific responsibilities for protecting and managing University Data and Data Collections.
- Chief Data Steward - Senior administrative officers of the university responsible for overseeing all information resources (e.g., the Provost and Vice Presidents).
- Data Steward - Deans, associate vice presidents, and heads of academic, administrative, or affiliated units or their designees with responsibility for overseeing a collection (set) of University Data. They are in effect the owners of the data and therefore ultimately responsible for its proper handling and protection. Data Stewards are responsible for ensuring the proper classification of data and data collections under their control, granting data access permissions, appointing Data Managers for each University Data collection, making sure people in data-related roles are properly trained, and ensuring compliance with all relevant polices and security requirements for all data for which they have responsibility.
- Data Stewards Council - A group of Data Stewards appointed by the Chief Data Stewards and Chief Information Officer to maintain the data classification schema, define University Data collections, assign a Data Steward to each, and resolve data classification or ownership disputes.
- Data Manager - Individuals authorized by a Data Steward to provide operational management of a University Data collection. The Data Manager will maintain documentation pertaining to the data collection (including the list of those authorized to access the data and access audit trails where required), manage data access controls, and ensure security requirements are implemented and followed.
- Data Processor - Individuals authorized by the Data Steward or designee and enabled by the Data Manager to enter, modify, or delete University Data. Data Processors are accountable for the completeness, accuracy, and timeliness of data assigned to them.
- Data Viewer - Anyone in the university community with the capacity to access University Data but is not authorized to enter, modify, or delete it.
- Chief Information Security Officer - Provides advice and guidance on information and information technology security policies and standards.
- Internal Audit Office - Performs audits for compliance with data classification and security policy and standards.
.090 Related Laws, Regulations, or Policies
Kansas State University Policies
- Collection, Use, and Protection of Social Security Numbers
- University Research Compliance Office for information on export controls, confidential/sensitive research data, human subjects, etc.
- Security for Information, Computing, and Network Resources
State of Kansas
- K.S.A. § 21-6107: Crimes involving violations of personal rights
- State of Kansas, ITEC Information Technology Security Standards Policy 7320A (PDF). These do not directly apply to K-State, but offer good guidelines for data security controls and represent minimum standards required of non-Regents state agencies.
- State of Kansas, ITEC Information Technology Policy 8010a - Data Review Board Standards
Federal Legislation and Guidelines
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Electronic Communications Privacy Act of 1986 (ECPA)
- NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization
- NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
- NIST Publication 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories
- Executive Order 12958: Classified National Security Information, As Amended, March 2003
Other
.100 Questions/Waivers
The Vice President for Information Technology and Chief Information Officer (CIO) is responsible for this policy. The CIO or designee must approve any exception to this policy or related procedures. Questions should be directed to the Chief Information Security Officer (CISO).