home Future Students Current Students Faculty and Staff Business and Community Online Courses
 
Data Classification Standard

Standard Statement

Data Classification is used to assign a level of sensitivity to data. The level of sensitivity assigned to the data determines the level of protection and control required to secure the data. Metropolitan Community College (MCC) Technology and Administrative Services will maintain a data classification document, so that data will be protected from unauthorized disclosure, use, or modification and/or deletion.

 

Purpose

To inform data owners and data users about the data classification system used by MCC to protect data generated, accessed, transmitted, and stored by MCC; to promote compliance with local, state, and federal regulations regarding privacy and confidentiality of information. Departments are responsible for securing information they create, manage or store.

 

Information Classification

There are four classifications of MCC information:

Public – Information that is readily available or disclosed to all parties.

Internal – Information that is intended for a widespread distribution to MCC employees.

Sensitive – Information that is intended only for a limited audience within MCC, or whose release would likely have a materially adverse effect on MCC, employees or students.

Confidential – Highly sensitive information that is intended only for a limited audience within MCC with a need-to-know or whose release would likely have a materially adverse effect on MCC, employees or students.

Scope

This applies to all electronic and paper data stored on any media or system(s) throughout the Metropolitan Community College (MCC) and apples to all individuals storing, accessing or working with the data, in any way, including all MCC employees, students, contracts, adjunct, guests, consultants, temporary employees and any other users, including all third parties utilizing MCC resources or data.

The following regulations, standards and procedure memoriam apply:

1) Federal Education Rights Privacy Act (FERPA)

2) Payment Card Industry Data Security Standards (PCI-DSS)

3) Red Flag Rule - Identity Theft Prevention Program PM X-30

4) Health Insurance Portability and Accountability Act (HIPAA)

5) Gramm-Leach-Bliley ACT (GLB)

6) Nebraska Data-Security Law (Nebraska Statues 87-807)

 

Data Field Name

Classification

 

Employee Information

   

Employee name

Public

 

Home phone

Confidential

HIPAA

Address (street, city, state, zip)

Confidential

HIPAA

Social Security Number

Confidential

HIPAA, State of Nebraska

Motor Vehicle Operator license

Confidential

State of Nebraska

State ID card number

Confidential

State of Nebraska

Financial information in combination with security code, access code, or password that would permit access to a resident’s financial account; Unique electronic identification number or routing code, in combination with any required security code, access code or password

Confidential

State of Nebraska

Health Insurance Policy ID numbers

Confidential

HIPAA

Biometric data

Confidential

State of Nebraska

Date of Birth

Confidential

State of Nebraska

Name of Spouse, dependents

Confidential

State of Nebraska

Spouse/Dependent SSN

Confidential

State of Nebraska

Spouse/Dependent date of birth

Confidential

State of Nebraska

Salary

Confidential

MCC

User-id

Internal

 

Password

Confidential

PCI DDS

Student Information

   

Social Security Number

Confidential

FERPA, HIPAA

Grades (test scores, assignments, and class grades)

Confidential

FERPA

Student Financial Information

Confidential

FERPA

Credit Card Numbers

Confidential

FERPA, PCI DSS, GLB

Bank Accounts

Confidential

FERPA

Wire Transfers

Confidential

FERPA

Payment history

Confidential

FERPA

Financial aid /grants

Confidential

FERPA

User account passwords

Confidential

GLB, PCI DSS (Bistro)

Contracts (more info?)

Confidential

GLB

Health Insurance Policy ID numbers

Confidential

HIPAA

Biometric identifiers

Confidential

FERPA

The college provides the following directory information to 3rd parties without the student’s consent unless the student designates otherwise with the Associate Vice President for Student Affairs.

Name

Internal

 

Address

Internal

 

Email address

Internal

 

Telephone number

Internal

 

Date of birth and place

Internal

 

Major field of study

Internal

 

Dates of attendance

Internal

 

Degrees and awards received

Internal

 

Photograph

Internal

 

Payment Card Industry

Cardholder Name

Confidential

PCI DSS

Data encrypted in transit and at rest

Personal Account Number (PAN)

Confidential

PCI DSS

Service Code

Confidential

PCI DSS

Expiration Date

Confidential

PCI DSS

Full magnetic strip data or equivalent on a chip

Confidential

PCI DSS

Not to be stored after authentication, securely delete, not retrievable by forensic tools or methods

CAV2/CVC2/CVV2/CID

Confidential

PCI DSS

Not to be stored after authentication, securely delete, not retrievable by forensic tools or methods

PINs/PIN blocks

Confidential

PCI DSS

Not to be stored after authentication, securely delete, not retrievable by forensic tools or methods

Documents

   

Network Diagram

Confidential

GLB

Source Code

Sensitive

MCC

Email distribution list

Internal

MCC

 

Resources

Description

https://www.pcisecuritystandards.org

Payment Card Industry Data Security Standards (PCI DSS)

http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Family Educational Rights and Privacy Act (FERPA)

http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

Federal Trade Commission, Red Flags Rule

http://www.hhs.gov/ocr/privacy/  

Health Insurance Portability and Accountability Act (HIPAA)

http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

Gramm-Leach-Bliley Act (GLB)

http://nebraskalegislature.gov/laws/statutes.php?statute=87-807

Nebraska Data Security Law (87-807)

 

Version

Date

Approver

Change Description

1.0

8/15/2011

Information Security Steering Committee

Initial construction

1.0 8/13/2012 Information Security Steering Committee Annual Review

 

Back to Technology Procedures

Top

 
 
 
Contact Us