Improving Data Security: Data Classification Policy
Posted October 30, 2017 by Academic and Institutional Technology
Tags:
Updates
Improving Data Security: Data Classification Policy
Effective Date: October 1, 2017
As of October 1, Wheaton College has officially adopted a Data Classification Policy, as well as a Data Classification and Handling Procedure.
Rationale
In 2016, Wheaton College’s cybersecurity consultants, GreyCastle Security, performed a risk evaluation of our institutional data in order to increase security. One of their top recommendations was that we adopt a Data Classification and Handling Policy/Procedure.
The purpose of this policy is to define the data classification requirements for Wheaton College information assets and to ensure that data is secured and handled according to its sensitivity and impact that theft, corruption, loss or exposure would have on the institution. This policy provides direction regarding identification, classification and handling of information assets.
The full policy can be found here.
Impact on College Community
- Each member of our community is responsible for carefully handling all classified information, both electronic and non-electronic.
- Data is classified in three categories:
- Restricted: Information assets whose loss, corruption, or unauthorized disclosure would cause financial loss or would result in regulatory or government sanctions such as violations of our associate private information.
- Common examples include, but are not limited to social security numbers, banking and health information, payment card information, personnel records and information systems’ authentication data.
- Private: Information assets whose loss, corruption, or unauthorized disclosure would not seriously impair business or educational functions but is otherwise private.
- Examples include, but are not limited to, final course grades, building plans, protected data related to research, financial statements, contracts and legal information.
- Public: Information assets whose loss, corruption, or unauthorized disclosure would not impair business functions.
- Examples include, but are not limited to, academic recruiting and marketing strategies, web site content and promotional information.
- Data stewards have been identified and appointed, and they are working to create processes for protecting the data they are responsible for. Stay tuned for more information in January!
If you have any questions, please contact Academic and Institutional Technology by email or by phone at 630.752.4357 (HELP).