Highline College

Connect with Highline College

Winter quarter starts January 6. View the class schedule and enroll today for the best selection of classes.

4.1 Data Classification Standard

Home/IT Security/IT Security Policy/4.1 Data Classification Standard
4.1 Data Classification Standard 2024-03-25T12:19:35+00:00

4.1 Data Classification Standard

 

4.1.1. Overview

A data classification standard is necessary to provide a framework for securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal.

 

4.1.2. Purpose

This standard outlines how Highline College classifies its data.

 

4.1.3. Scope

This policy applies to all Highline College data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

 

4.1.4. Standard

Data is classified into four categories based on the sensitivity of the data. These categories are in line with the Washington State data classification categories as defined in OCIO policy 141.10.

4.1.4.1 Category 1 – Public Information

Public information is information that can be or currently is released to the public.  It does not need protection from unauthorized disclosure, but does need integrity and availability protection controls.

4.1.4.2 Category 2 – Sensitive Information

Sensitive information may not be specifically protected from disclosure by law and is for official use only. Sensitive information is generally not released to the public unless specifically requested.

4.1.4.3 Category 3 – Confidential Information

Confidential information is information that is specifically protected from disclosure by law.  It may include but is not limited to:

  • Personal information about individuals, regardless of how that information is obtained.
  • Information concerning employee personnel records.
  • Information regarding IT infrastructure and security of computer and telecommunications systems.

4.1.4.4 Category 4 – Confidential Information Requiring Special Handling

Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which:

  • Especially strict handling requirements are dictated, such as by statutes, regulations, or agreements.
  • Serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions.

 

4.1.5. Compliance

4.1.5.1 Compliance Measurement

ITS will verify compliance to this standard through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the standard owner.

4.1.5.2 Exceptions

Any exception to the standard must be approved by ITS in advance.

4.1.5.3 Non-Compliance

An employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment.

 

4.1.6. Related Standards, Policies, and Processes

OCIO Policy 141.10

 

4.1.7. Revision History

Date By Summary