Data Classification Policy

This classification scheme in this policy is to be applied to all institutional data, both physical and electronic, throughout Earlham College and the Earlham School of Religion.

College Data is information generated by or for, owned by, or otherwise in the possession of Earlham College that is related to the College’s activities. College Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of Earlham College and Earlham School of Religion.

In order to effectively secure its data, Earlham has established a vocabulary to describe the data and quantify the amount of protection required.

Data shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods.

1. All Employees are responsible for:
   1. classifying and marking all created or modified information, including any reproductions that are made (e.g. reports), and
   2. appropriate handling of all classified information (electronic or non-electronic).
2. Chief Information Officer (or designee) is esponsible for:
   1. creating and managing asset inventories used to store, process, transmit or provide access to electronic information; and
   2. monitoring the implementation of this policy and reporting to senior management on any abnormal findings or exceptions.
3. Data owners are individuals, roles and/or committees primarily responsible for information assets. Data owners are responsible for:
   1. identifying the organization’s information assets under their areas of supervision;
   2. maintaining an accurate and complete inventory for data classification and handling purposes;
   3. ensuring information assets receive an initial classification upon creation;
   4. re-classifying information assets whenever the assets are significantly modified; and
   5. reporting deficiencies in security controls to management.

Data classifications are defined as follows:

A. Restricted

Data is classified as Restricted when it contains information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial or reputational harm to the organization, organization staff or the community we serve. This includes, but is not limited to data subject to federal and state breach notifications and data for which the unavailability would result in disruptions of critical systems or services. Common examples include, but are not limited to, social security number, banking and health information, payment card information and information systems’ authentication data.

Restricted data should only be disclosed on a strict need-to-know basis.

B. Sensitive or Internal

Data is classified as Sensitive or Internal when it contains information whose loss, corruption, or unauthorized disclosure would likely cause limited personal, financial or reputational harm to the organization, organization staff or the community we serve. Common examples include, but are not limited to, some data elements found in employment records, unpublished research data, and passport and visa numbers.

By default, all institutional data that is not explicitly classified as Restricted or Public data should be treated as Sensitive or Internal.

Sensitive or Internal data that must be guarded due to proprietary, ethical, privacy, or business process considerations. This classification applies even though there may be no legal or contractual controls which require such protection.

C. Public

Data is classified as Public when it contains information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial or reputational harm to the organization, organization staff or the community we serve. Common examples include, but are not limited sales and marketing strategies, promotional information, published research data, and policies.

It should be understood that any information that is widely disseminated within the campus community is potentially available to the public at large. When practical, public data should only be shared via systems which the College maintains full administrative control, which includes the ability to remove or modify the data in question.

Information labeling is the practice of marking an information system or document with its appropriate classification levels so  that others know how to appropriately handle the information.

Restricted information that can be printed (e.g., spreadsheets, files, reports, drawings, or handouts) should contain Earlham College’s classification in the document.

Restricted information that is displayed or viewed (e.g., websites, presentations, etc.) must be labeled with its classification as part of the display.

Responsible data owners will re-evaluate classified data assets at least once per year. Re-classification of data assets shall also be considered whenever the data asset is modified, retired or destroyed.

Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

Earlham provisions employees with appropriate access to information and information systems us the principle of least privilege. Least privilege is the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function (NIST).

Violation of this policy may result in disciplinary action, including but not limited to discontinued access to certain technology resources, suspension, or termination of employment.

Exceptions to this policy may be approved in advance by the Chief Information Officer at the request of the responsible data asset owner. Approved exceptions must be reviewed and re-approved by the asset owner annually.

This policy will be reviewed annually by the Chief Information Officer. Amendments will be adopted with the approval of the Chief Financial Officer.

• Federal Information Processing Standard Publication 199 (FIPS-199)
• NIST Special Publication 800-171
• Family Educational Rights and Privacy Act (FERPA)
• The Gramm – Leach Bliley Act (GLBA)