Data Classification
Data Classification
1. Purpose
Clemson University is committed to protecting the privacy of its students, alumni, faculty, and staff while protecting the confidentiality, integrity, and availability of information important to the University’s mission. To meet that commitment, the University has developed this policy which will be used to categorize University information and determine what security controls are required for related systems and applications.
2. Roles & Responsibilities
For functional areas with a Data Trustee assigned, data classification is the responsibility of the Data Trustee. Data Stewards appointed by the Data Trustee will create an inventory of data under their purview and will ensure relevant information security policies and procedures are followed to protect the confidentiality and integrity of the data. If a system or application handles data of multiple classifications, it should be protected according to the higher classification. For areas without an appointed Data Trustee, classification and compliance with policies and procedures will be the responsibility of the data owner. This includes owners of shared drives, databases, and applications that collect or process data.
Data Trustee: Officer-level individual with oversight responsibility for University data related to the functional area.
Data Steward: Individuals (assigned by Data Trustee) who are responsible for the accuracy, privacy and security of the data.
3. Definitions
The University, in alignment with the State of South Carolina, has adopted four data classification categories: Restricted, Confidential, Internal Use, and Public. These classifications are defined below.
Restricted
- The information is highly sensitive and is to be kept protected as a matter of law, regulation, contractual obligation.
- A breach of confidentiality, integrity, or availability could have a significant adverse impact on the University’s mission, safety, finances, or reputation.
- The University is subject to statutory or regulatory penalties or notification provisions in the event of any unauthorized access or disclosure.
Confidential
- The information is sensitive and is to be kept protected as a matter of University policy, procedures or contractual obligation.
- A breach of confidentiality, integrity, or availability could have an adverse impact on the University’s mission, safety, finances, or reputation.
Internal Use
- The data is not Confidential or Restricted, but not generally available to the public.
- A breach of confidentiality, integrity, or availability could have minimal adverse impact on the University’s mission, safety, finances, or reputation.
- The information pertains to or is used in the daily operations of the University.
Public
- Data is developed and intended for public disclosure.
4. Data Elements
The Example Data Elements table contains a list of commonly used data types. This list is not all inclusive but does provide guidance on how to classify data.
Example Data Elements
|
|||
Public
|
Internal Use
|
Confidential
|
Restricted
|
---|---|---|---|
|
|
|
|
For some data elements, the context will affect the classification. A name, photo and birthdate are Personally Identifiable Information (PII) and are Confidential but may be included in a University newsletter (with approval from the individual) and be considered Public in that context. Other records containing the same data will still be considered Confidential.
As data ages, the classification may also change. For example, University budgets may be classified as Internal Use, but become Public once published.
5. Data Classification Support
Questions regarding Data Classification, Data Trustees and Data Stewards can be directed to ithelp@clemson.edu.
6. Data Storage
Data must be stored in an approved IT Solution or storage location based on the classification. IT solutions that store or process data must be approved through the IT Vendor Management Process. Clemson also provides students, faculty, and staff a variety of File Storage Options.
Responsible Division
CCIT
Reviewed Date
August 10, 2023