Policy 922 - Information Classification Policy

  1. Home
  2. My St. John's
  3. Policy 922 - Information Classification Policy

Section: Information Technology
Policy Number: 922
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 6/11/20; 9/10/24

Policy Statement

The objective of this policy is to provide a classification system for all St. John’s University (St. John’s) data and documents (information assets) to which an appropriate security class can be assigned.

St. John’s holds many information assets that must be protected against unauthorized access, disclosure, modification, or other misuses. Efficient management of these assets is also necessary in order to comply with legal obligations, such as the General Data Protection Regulation (GDPR).

Different types of information assets require different security measures. Proper classification is vital to ensuring effective data security and management. Each security class listed in the summary tables below has defined data management controls that determine how information assets should be handled throughout its lifecycle. These controls are applied to all information assets held by St. John’s.

Scope and Applicability

This policy is to be applied to all information held by St. John’s, including data and documents relating to teaching, research, and administration. The focus of the policy is on information held in an electronic format; however, the policy also requires departments to apply appropriate controls to information held in hard copy. The policy encompasses storage, access, sharing and resilience of information assets. The scope of this policy covers the entire University Community.

Policy

Data classification establishes management’s tolerance of risk through the categorization of data, which conveys required safeguards for information confidentiality, integrity, and availability.  These protection measures are usually based on qualified information value and risk acceptance.  

St. John’s has set forth the following data classification based on the level of sensitivity, value, and the aptitude of impact incurred when altered, disclosed, and/or destroyed.

Data classification takes into account the following: reputational; financial; operational; strategic; and compliance impact to St. John’s.

St. John’s Data is classified into four categories:

  • Restricted: Specific
  • High Impact: Sensitive Data
  • Moderate Impact: Private Data
  • Low Impact: Public Non-Sensitive Data

Risk Level - Restricted

Data Classification/Sensitivity Level - Restricted: Specific
Risk Level Definition - “Restricted” data is data that is subject to specific security controls prescribed by law, contract, or industry standards. The unauthorized disclosure of Restricted data could cause substantial harm to individuals and /or the University. Also, the unauthorized disclosure of this information could implicate federal and/or state breach notification laws. 
Data Type Definition - Access and use of data are restricted.  FTI: Federal Tax Information Data and PCI Data: Credit Card or Payment Information 
Examples (These examples are not an exhaustive list of this classification's data.) - FTI Data:  FAFSA data items: Tax year, Tax Filing Status, Adjusted Gross Income (AGI), Number of Exemptions and Number of Dependents, Income Earned from Work, Taxes Paid, Educational Credits, Untaxed IRS distributions, IRA deductible and payments, Tax exempt interest, Untaxed pension amounts, Schedule C net profit/loss, Indicators for Schedules A,B,D,E,F,H, and IRS response code. PCI Data: Cardholder name and credit/debit card account number, credit/debit card expiration date, credit card verification number, and credit card security code.
Laws/Regulations/Contract/Policies (This is not an exhaustive list) - Gramm-Leach-Bliley Act (GLBA); Federal FUTURE ACT; federal Information Security Modernization Act (FISMA); Family Education Rights and Privacy Act (FERPA) ; Student Aid Internet Gateway Agreement (SAIG); General Data Protection Regulation (GDPR); PCI Security Standards Council; NY Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

Risk Level - High Impact

Data Classification/Sensitivity Level - Sensitive Data
Risk Level Definition - “Sensitive” data is data that contains information that could cause substantial harm to individuals and/or the University but is not subject to specific security controls prescribed by law, contract, or industry standards. Also, the unauthorized disclosure of this data could implicate federal and/or state breach notification laws. 
Data Type Definition - Protected Regulated: Data
Examples (These examples are not an exhaustive list of this classification's data.) -  Includes: PII data SSN, Driver's license, and Student FAFSA information that is not FTI, loan information, passport number, Bank/Financial Acct information, and protected health information, PINS, Passwords, and Law Enforcement Active data.
Laws/Regulations/Contract/Policies (This is not an exhaustive list) - GLBAFERPASAIGGDPR; NY SHIELD Act; Heath Insurance Portability and Accountability Act of 1996 (HIPAA)

Risk Level - Moderate Impact

Data Classification/Sensitivity Level - Moderate: Private Data
Risk Level Definition - “Moderate” data is data that contains information that could cause serious, but not substantial, harm to individuals and/or the University. Also, the unauthorized disclosure of this data could implicate federal and/or state breach notification laws.
Data Type Definition - Regulated Data: Data is subject to protection under FERPA or other federal, state regulation, University policy or contractual agreement.
Examples (These examples are not an exhaustive list of this classification's data.) - Includes: Student Education records (FERPA protected data); STJ X-ID’s, Nonpublic financial aid information, Donor records, employee records, Public safety records, I.T. Infrastructure Data, Immigration documents, University Non-Public Financial Data, Protected Data related to Research, Human Subject Research, University Intellectual property or proprietary information.
Laws/Regulations/Contract/Policies (This is not an exhaustive list) - GLBAFERPAGDPR, NY SHIELD Act

Risk Level - Low Impact

Data Classification/Sensitivity Level - Low: Public Non-Sensitive Data
Risk Level Definition - “Public Non-Sensitive Data” is data that contains information that is generally available to the public. 
Data Type Definition - Data in Public Domain
Examples (These examples are not an exhaustive list of this classification's data.) - Includes: Public websites, Course Catalogs, Published Research, and University Data classified as FERPA Directory Information.

Definitions

The following are definitions relevant to the policy:

  • Computing Resources: All St. John’s information processing resources, including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
     
  • Institutional Data: All data owned or licensed by St. John’s.
     
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.
     
  • Information Asset: A collection of any type of data, irrespective of type (e.g. numerical data, text) and form (e.g. digital or hard copy).
     
  • Data Owner: The person or department who acts as the principle authority and has overall responsibility for the information asset and for ensuring that it is managed securely and in compliance with St. John’s and government regulations and policies. The Data Owner may delegate day-to-day responsibility for management of the data to a Data Administrator, service group or other persons.
     
  • Data Administrator: The staff member or department delegated with overall responsibility for day-to-day management of the information asset in accordance with St. John’s and government regulations and policies. Processes and procedures used to manage the data should have been implemented by the Data Owner. For some data, particularly small datasets, the Data Owner and Data Administrator may be the same person.
     
  • Security Class: Defines how an information asset should be handled. The classes are: Open, Confidential and Secret. The classification of an information asset may change over time.
     
  • Data Management Plan: A document that describes how the data associated with a project will be handled, both during its lifetime and after it has been completed.
     
  • Information Asset Register: A document listing information assets and key metadata about them: owner, administrator, location, user access, retention policy, and information class.

Compliance

St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.

St. John's University
Human Resources Policy Manual