Purpose and Scope
The purpose of this policy is to establish a framework for classifying and protecting all data created, received, maintained, or transmitted by Muhlenberg College. By understanding the sensitivity and importance of different types of data, we can implement appropriate measures to safeguard our information assets while ensuring they remain accessible to those who need them.
This policy applies to all members of the Muhlenberg College community, including students, faculty, staff, and any third parties who handle college data. It covers all forms of data, regardless of whether they are stored electronically, on paper, or in any other format.
Data Classification Levels
We have established four levels of data classification at Muhlenberg College. Each level reflects the sensitivity of the information and the potential impact if that data were to be disclosed, altered, or destroyed without authorization.
Public Data
Public Data is information that is intended for unrestricted public use. This includes our course catalogs, press releases, and publicly available research findings. While this information is freely available, we still need to ensure its integrity and prevent unauthorized modification.
Internal Data
Internal Data, while not particularly sensitive, is intended primarily for use within Muhlenberg College. This category includes our campus directories, departmental procedures, and internal memos. We limit the distribution of this information outside the college community and apply standard security controls to manage access.
Confidential Data
Confidential Data requires a higher level of protection due to its sensitive nature. This category includes student educational records protected by FERPA, employee performance evaluations, and non-public financial data. We strictly limit access to this information, use encryption for its transmission, and implement strong security controls for its storage.
Restricted Data
Restricted Data is our most sensitive information, which could cause significant harm to individuals or the college if compromised. This includes Social Security numbers, credit card information, and health records protected by HIPAA. We apply our most stringent security controls to this data, severely limiting access and requiring encryption for both storage and transmission.
Roles and Responsibilities
Protecting our data is a shared responsibility across the Muhlenberg College community.
Data Owners, typically department heads or project leaders, are responsible for classifying their data appropriately and ensuring that proper access controls are in place. They must regularly review and update these classifications as needed.
All Data Users must handle information in accordance with its classification level. This includes following proper procedures for data storage, transmission, and disposal. Users are also responsible for reporting any suspected data breaches or misclassifications.
Our Office of Information Technology plays a crucial role in implementing technical controls to protect data based on its classification level. They provide tools and guidance for secure data handling and conduct regular security assessments.
Data Handling Procedures
We have established specific procedures for handling data at each classification level. These procedures cover aspects such as storage, transmission, access, and disposal of data.
For storage, we use standard college-approved solutions for Public and Internal data, while Confidential and Restricted data require secure, encrypted storage with strict access controls.
When transmitting data, we use standard college communication channels for Public and Internal data, but require encrypted transmission methods for Confidential and Restricted data.
Access to data is granted on a need-to-know basis, with regular access reviews conducted for Confidential and Restricted data.
For data disposal, we use standard methods for Public and Internal data, but employ secure disposal techniques such as shredding or secure digital wiping for Confidential and Restricted data.
Training and Awareness
To ensure everyone understands their responsibilities, all faculty, staff, and students handling college data must complete annual training on this Data Classification Policy and related data security practices. We also conduct ongoing awareness campaigns to keep data protection at the forefront of our community's mind.
Policy Review
As the landscape of data management and security continually evolves, we commit to reviewing this Data Classification Policy annually. We will update it as necessary to reflect changes in technology, legal requirements, and the college's needs, ensuring that our approach to data protection remains current and effective.