4.1 Data Classification Standard
4.1.1. Overview
A data classification standard is necessary to provide a framework for securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal.
4.1.2. Purpose
This standard outlines how Highline College classifies its data.
4.1.3. Scope
This policy applies to all Highline College data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).
4.1.4. Standard
Data is classified into four categories based on the sensitivity of the data. These categories are in line with the Washington State data classification categories as defined in OCIO policy 141.10.
4.1.4.1 Category 1 – Public Information
Public information is information that can be or currently is released to the public. It does not need protection from unauthorized disclosure, but does need integrity and availability protection controls.
4.1.4.2 Category 2 – Sensitive Information
Sensitive information may not be specifically protected from disclosure by law and is for official use only. Sensitive information is generally not released to the public unless specifically requested.
4.1.4.3 Category 3 – Confidential Information
Confidential information is information that is specifically protected from disclosure by law. It may include but is not limited to:
- Personal information about individuals, regardless of how that information is obtained.
- Information concerning employee personnel records.
- Information regarding IT infrastructure and security of computer and telecommunications systems.
4.1.4.4 Category 4 – Confidential Information Requiring Special Handling
Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which:
- Especially strict handling requirements are dictated, such as by statutes, regulations, or agreements.
- Serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions.
4.1.5. Compliance
4.1.5.1 Compliance Measurement
ITS will verify compliance to this standard through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the standard owner.
4.1.5.2 Exceptions
Any exception to the standard must be approved by ITS in advance.
4.1.5.3 Non-Compliance
An employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment.
4.1.6. Related Standards, Policies, and Processes
4.1.7. Revision History
Date | By | Summary |