|
Standard Statement
Data Classification is used to assign a level of sensitivity to data. The level of sensitivity assigned to the data determines the level of protection and control required to secure the data. Metropolitan Community College (MCC) Technology and Administrative Services will maintain a data classification document, so that data will be protected from unauthorized disclosure, use, or modification and/or deletion.
Purpose
To inform data owners and data users about the data classification system used by MCC to protect data generated, accessed, transmitted, and stored by MCC; to promote compliance with local, state, and federal regulations regarding privacy and confidentiality of information. Departments are responsible for securing information they create, manage or store.
Information Classification
There are four classifications of MCC information:
Public – Information that is readily available or disclosed to all parties.
Internal – Information that is intended for a widespread distribution to MCC employees.
Sensitive – Information that is intended only for a limited audience within MCC, or whose release would likely have a materially adverse effect on MCC, employees or students.
Confidential – Highly sensitive information that is intended only for a limited audience within MCC with a need-to-know or whose release would likely have a materially adverse effect on MCC, employees or students.
Scope
This applies to all electronic and paper data stored on any media or system(s) throughout the Metropolitan Community College (MCC) and apples to all individuals storing, accessing or working with the data, in any way, including all MCC employees, students, contracts, adjunct, guests, consultants, temporary employees and any other users, including all third parties utilizing MCC resources or data.
The following regulations, standards and procedure memoriam apply:
1) Federal Education Rights Privacy Act (FERPA)
2) Payment Card Industry Data Security Standards (PCI-DSS)
3) Red Flag Rule - Identity Theft Prevention Program PM X-30
4)
Health Insurance Portability and Accountability Act
(HIPAA)
5) Gramm-Leach-Bliley ACT (GLB)
6) Nebraska Data-Security Law (Nebraska Statues 87-807)
Data Field Name |
Classification |
|
Employee Information |
|
|
Employee name |
Public |
|
Home phone |
Confidential |
HIPAA |
Address (street, city, state, zip) |
Confidential |
HIPAA |
Social Security Number |
Confidential |
HIPAA, State of Nebraska |
Motor Vehicle Operator license |
Confidential |
State of Nebraska |
State ID card number |
Confidential |
State of Nebraska |
Financial information in combination with security code, access code, or password that would permit access to a resident’s financial account; Unique electronic identification number or routing code, in combination with any required security code, access code or password |
Confidential |
State of Nebraska |
Health Insurance Policy ID numbers |
Confidential |
HIPAA |
Biometric data |
Confidential |
State of Nebraska |
Date of Birth |
Confidential |
State of Nebraska |
Name of Spouse, dependents |
Confidential |
State of Nebraska |
Spouse/Dependent SSN |
Confidential |
State of Nebraska |
Spouse/Dependent date of birth |
Confidential |
State of Nebraska |
Salary |
Confidential |
MCC |
User-id |
Internal |
|
Password |
Confidential |
PCI DDS |
Student Information |
|
|
Social Security Number |
Confidential |
FERPA, HIPAA |
Grades (test scores, assignments, and class grades) |
Confidential |
FERPA |
Student Financial Information |
Confidential |
FERPA |
Credit Card Numbers |
Confidential |
FERPA, PCI DSS, GLB |
Bank Accounts |
Confidential |
FERPA |
Wire Transfers |
Confidential |
FERPA |
Payment history |
Confidential |
FERPA |
Financial aid /grants |
Confidential |
FERPA |
User account passwords |
Confidential |
GLB, PCI DSS (Bistro) |
Contracts (more info?) |
Confidential |
GLB |
Health Insurance Policy ID numbers |
Confidential |
HIPAA |
Biometric identifiers |
Confidential |
FERPA |
The college provides the following directory information to 3rd parties without the student’s consent unless the student designates otherwise with the Associate Vice President for Student Affairs. |
Name |
Internal |
|
Address |
Internal |
|
Email address |
Internal |
|
Telephone number |
Internal |
|
Date of birth and place |
Internal |
|
Major field of study |
Internal |
|
Dates of attendance |
Internal |
|
Degrees and awards received |
Internal |
|
Photograph |
Internal |
|
Payment Card Industry |
Cardholder Name |
Confidential |
PCI DSS
Data encrypted in transit and at rest |
Personal Account Number (PAN) |
Confidential |
PCI DSS
|
Service Code |
Confidential |
PCI DSS
|
Expiration Date |
Confidential |
PCI DSS
|
Full magnetic strip data or equivalent on a chip |
Confidential |
PCI DSS
Not to be stored after authentication, securely delete, not retrievable by forensic tools or methods |
CAV2/CVC2/CVV2/CID |
Confidential |
PCI DSS
Not to be stored after authentication, securely delete, not retrievable by forensic tools or methods |
PINs/PIN blocks |
Confidential |
PCI DSS
Not to be stored after authentication, securely delete, not retrievable by forensic tools or methods |
Documents |
|
|
Network Diagram |
Confidential |
GLB |
Source Code |
Sensitive |
MCC |
Email distribution list |
Internal |
MCC |
Version |
Date |
Approver |
Change Description |
1.0 |
8/15/2011 |
Information Security Steering Committee |
Initial construction |
| 1.0 |
8/13/2012 |
Information Security Steering Committee |
Annual Review |
Back to Technology Procedures
Top
|
Close Disable
