IT Security Policy 101 – Data Classification and Control

Status: Draft
Last Revision Date: 26 September 2023

Statement of Purpose

This policy ensures regulatory compliance in the classification and control of critical data. To achieve this, data stored in Clackamas Community College systems must be well understood, and appropriate digital and physical controls must be implemented to prevent breaches and manage access effectively.

Policy Summary

All data stored and accessed on Clackamas Community College information systems, whether managed by employees or third parties, shall be identified and classified by the data owner in collaboration with the data steward. The classification level of data shall be reviewed periodically, in accordance with current state and federal laws and regulations. Additionally, periodic reviews of user access shall be conducted.

Policy

  1. All data created by Clackamas Community College staff in the course of their duties shall be the property of Clackamas Community College and subject to appropriate security controls.

  2. All data created, owned, or controlled by Clackamas Community College or its agents shall be classified into one of the following categories:

    • Public: Data that can be freely shared with the general public.

    • Confidential: Data that cannot be freely shared with the public and requires controlled access, limited to individuals with a demonstrable need to know.

    • Restricted: Data that, if released, could cause harm or disruption. This includes non-directory student data and Personally Identifiable Information (PII).

  3. All data shall be classified as Confidential by default. The data owner shall be responsible for reclassifying data as Public or Restricted as necessary.

  4. Data published to public-facing resources shall automatically be classified as Public. Any unpublished data with a Public classification shall be clearly identified.

  5. All data shall be protected using access controls appropriate to its classification level, ensuring it is not improperly disclosed, modified, deleted, or rendered unavailable.

  6. Non-public data shall be restricted to authenticated users, as specified in Policy 102.

  7. Data in physical media (e.g., documents, forms, and portable media) shall be protected as specified in Policy 104.

  8. Physical access to Electronic Information Resources shall be controlled as specified in Policy 113.

  9. The data owner shall notify the data steward of any access auditing requirements. The data steward shall provide the owner with audit results at the specified interval.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Print Article