Georgetown University Information Classification Policy (Legacy)

Statement

This Policy explains the requirements for classifying and protecting the University’s data and information, and defines responsibility for classification. This Policy also establishes a framework for classifying University information as Restricted, Private, or Public, so it can be protected and used appropriately. These classifications are based on both external requirements and University policies.

Applicability

This policy applies to all members of the University Community. This Policy applies to information generated, accessed, modified, transmitted, stored, or otherwise used by the University Community.

University information exists on many different media (e.g., paper, hard drive, flash drive, cell phone, disk, DVD, or CD-ROM) and in many different formats (e.g., text, graphic, video, or voice; electronic or physical). All of these forms and formats of information require care and protection.

Guiding Principles/Purpose

Georgetown University is committed to protecting the confidentiality, integrity, and availability of its information. To better safeguard University information, all members of the University Community must comply with the framework for the classification of data and protection of information. 

This policy authorizes the Office of Information Services and University Information Services to use appropriate security controls and protocols to preserve data integrity, guard against any malicious access to, or manipulation of, the University’s information assets, and to protect proprietary information. 

This policy works in conjunction with all other University policies that protect the University’s information assets and resources, including, but not limited to, the Information Security Policy, the Computer Systems Acceptable Use Policy, and the Record Retention Policy.

Administration and Implementation

Classification levels

All University information shall be assigned to one of three “classification levels”:

Restricted
Private
Public

The default classification for all University Information, where a Data Steward has assigned no other classification, is “Private.”

Data Stewards shall classify data under their stewardship, in consultation with the University Information Security Office. 

Exhibit A provides a list of examples of data and their appropriate classification levels. This list is for illustrative purposes only, is not comprehensive, and is subject to change. 

Any questions or concerns about the classification of University information should be directed to the relevant Data Steward or the University Information Security Office, which shall consult as necessary with the Office of University Counsel, and other resources as appropriate.

The term Data Steward as used here does not imply ownership in any legal sense (i.e., holder of a copyright or patent).  Data Stewards control and manage information on behalf of the University.

Restricted Information 

Information classified as Restricted has the potential to expose the University to greatest risk.  It therefore requires the most secure methods of protection from unauthorized access, disclosure, or tampering. The Restricted classification applies:

Because of legal or regulatory requirements, University policies or agreements to which the University is a party, or.
If unauthorized disclosure could result in significant risk to or adverse impact upon the University.  

Due to the risks associated with the collection and storage of such information, Restricted Information may only be collected when there is a specific business need for the information and no reasonable alternative exists.

Explicit authorization to download, transmit, or store Restricted Information always requires approval by the University Information Security Office. The University Information Security Office must approve the storage of Personally Identifiable Information, especially SSNs, in any repository or system, prior to the creation of the system. Restricted Information may only be disclosed to individuals on a need-to-know basis.  

The appropriate Data Steward and the University Information Security Office must both explicitly authorize disclosure of Restricted Information to parties outside the University. 

Restricted Information must be stored on managed University resources, as it always requires significant protection from unauthorized access, tampering, or distribution. Restricted University information must always be extracted, reported on, and transmitted within a University or Campus Reporting Center. Until such time as a University or Campus Reporting Center is operational, Data Stewards shall authorize extraction and distribution of Restricted Information as described in the Georgetown University Procedures for the Transmittal of Restricted University information.  Procedures for protecting Restricted Information will depend on the specifics of the information in question, and on the risk that unauthorized release represents to the University. Appropriate and required protections are established by the University Information Security Office and defined in the Procedures for the Protection of University Information. 

If data classified as Restricted is lost, disclosed to unauthorized parties, suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University’s information systems has taken place, or is suspected of taking place, members of the University Community must report the incident immediately, upon discovering the known or suspected compromise, as described in the Procedures for Reporting a Security Incident.

Private Information

Information classified as Private poses less risk than Restricted Information, but is highly sensitive, has the potential for significant negative impact to the University if disclosed, and is restricted by policy or agreement to the members of the University Community.   

Loss of Private Information could be harmful to the University’s business, image, or reputation, or undermine the confidentiality of University business or processes. A loss of this type of information would not necessarily violate existing federal or local laws, but would nonetheless pose substantial risk of disruption or negative impact.

Private Information must be stored only on authorized University services, as it requires significant protection from unauthorized access or tampering.  It may be distributed only through University services as approved by the University Information Security Office.  Appropriate and required protections for Private Information are established by the University Information Security Office and defined in the Procedures for the Protection of University Information. 

Public Information

Public Information can be freely disseminated to anyone, and may be published on public Web sites. While the requirements for protecting public data are less than that of Restricted and Private Information, sufficient controls must be maintained to protect against unauthorized modification of public information.

Appropriate and required protections for Public Information are established by the University Information Security Office and defined in the Procedures for the Protection of University Information.

Responsibilities

Members of the Georgetown University community with specific responsibilities governed by this policy are listed below.  For clarification on the terms used in this document, please refer to the “Office of Information Services Policy Definitions, Roles, and Responsibilities.”   The Procedures for the Protection of University Information define the procedures required to fulfill these responsibilities.

Data Stewards are responsible for the classification of the data under their stewardship.

Faculty are the Stewards of their research and academic data, and have the responsibility to classify the data under their stewardship.

Students are the Stewards of their own data when such data is not owned by the university and is not part of their official academic record.

The University Information Security Office assists the Data Stewards in classifying data, and ensures compliance with relevant laws, regulations, and policies, and establishes and implements procedures for the security of media and systems that store or transmit University data, based on the classification of that data.

Enforcement

Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate the University’s Information Security Procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution. 

Consistent with the Computer Systems Acceptable Use Policy, the University may temporarily suspend, block or restrict a user’s access to information and systems when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of University resources or to protect the University from liability.

The University may routinely monitor network traffic to assure the continued integrity and security of University resources in accordance with applicable University policies and laws. The University may also refer suspected violations of applicable law to appropriate law enforcement agencies.

Resources

Policy on the Use, Collection, and Retention of Social Security Numbers by Georgetown University

Georgetown University Human Resources Confidential Information Policy

Georgetown University Acceptable Use Policy

Office of Information Services Procedures for Reporting a Security Incident

Office of Information Services Procedures for the Protection of University Information

APPROVAL

Recommended for University Approval by UIS Advisory Committee on April 7, 2011.

Approved on June 10, 2013 by David Smith, University Information Security Officer

Review Cycle

This policy will be reviewed and updated as needed, but at least annually, unless changes in institutional policy or relevant law or regulation dictate otherwise.

Revision History

Revised August 30, 2011, incorporating UISAC-advised edits

Revised  by Judith House on March 19, 2013, to reflect new classification taxonomy

Submitted by Judith House on April 9, 2013, to University Information Security Officer David Smith for final approval

Exhibit A

Examples of Restricted University Information

Information protected by federal laws and regulations, including but not limited to:

The Family Educational Rights and Privacy Act (FERPA) – protects a wide range of personal education records and information about current and former students including, but not limited to: grades, university judicial, and academic records
The Health Insurance Portability and Accountability Act (HIPAA) – governs the use of protected health information, including information that identifies an individual and relates to: the individual’s past, present, or future physical or mental health; or the provision of health care to the individual; or the past, present, or future payment for health care.
The Gramm-Leach-Bliley Act (GLBA) – protects personal financial information

Regulated Personally Identifiable Information (PII):

Social Security Number
Date of birth
Place of birth
Traditional password identifiers

Mother’s maiden name
Name of favorite pet

Dependents
Bank account numbers
Income tax records
Driver’s license numbers
Credit card numbers[1]
Passport numbers

Security data and credentials authorizing access, designed to protect systems:

Information concerning security incidents
Passwords
PKI Certificates

Information collected via University business operations:

Data Governed by:

Agreements between the University and third parties
Non-disclosure agreements
Confidentiality agreements

Identified human subject data
Law Center clients
Library patrons
Donor information where anonymity is promised
Information regarding current, former, and prospective employees

Salary and pay information
Benefits data
IDEAA case data

Information on unpublished patents including process and filing documentation, grant applications, and licensing matters
Financial records
Medical records
Legal records
Student records
Police records

Private University Information

The following examples are examples of “Private” information, provided they do not contain Restricted Information:

Performance reviews
Donor data
Preparations for negotiations
Agreements in progress
Board documents
Rank and tenure data

Public University Information

The following examples are examples of “Public” information:

Public web pages
Course listings
Press releases
Marketing brochures

[1] Credit card information must not be stored by the University.  For all credit card transactions, see the Georgetown University Payment Card Industry Data Security Standards Policy.