Data Classification and Data Storage Quick Guide

Introduction

Institutional data is a valuable resource to Indiana State University.  The environment for data security is complex and constantly changing.  A variety of international, federal, and state laws, and industry regulations establish both personal and institutional responsibility for data security.  In addition to these, ethical and professional considerations create an obligation for all members of the ISU community to care for institutional data with the highest levels of awareness and best practices.

Scope

Institutional Data are considered to be University resources and as such, policies controlling the creation, receipt, transmission, processing, use, storage, printing, or dissemination of data are set by the University.  These policies will be augmented as needed by specific standards and procedures that will apply at the institutional level. Nothing in this policy shall negate the provisions of the Policy Library Policy 370 Intellectual Property.

Definition of Institutional Data

Indiana State University institutional data are data elements which satisfy one or more of the following criteria:

• Created, received, processed, maintained, transmitted, or stored as a result of educational, clinical, research, patientcare, or service activities; or
• Used directly or indirectly for the planning, managing, operating, documenting, staffing, or auditing of one or more major administrative functions of the University; or
• Used to derive any data element that fits the above criteria.
• Included in an official University administrative report, or
• Generated by a University workforce member or agent using any of the above data.

This definition applies regardless of the form or medium on which the data are created, received, processed, transmitted, or stored.

Categories of Data

Data categories are defined based on the function and/or use of institutional data. 

• Alumni data
• Contracts and grants data
• Research data
• Employee and benefits data
• Facilities data
• Faculty data
• Financial and budget data
• Health data
• International programs data
• Library data
• Purchasing and travel data
• Student and applicant data 
• Instruction-related data   

Classifications of Data

Data classifications are defined based on the need to ensure the security and privacy of institutional data.  Data Sensitivity Labels should be applied based upon the following data classifications to ensure proper security controls are applied.

Public Data.  Information and data that are intended for public view.

University-Internal Data.  Data used internally for university operations or with selected University appointees or partners for ISU business purposes.  Access to University Internal Data should be determined based on the job responsibilities of the employee, appointee, or partner.

Restricted Data.  Data that are sensitive or confidential and, as a result, require specific authorization for access.

Highly Restricted Data.  Highly confidential data that, if released, could result in criminal or civil penalties, identity theft, personal financial loss, or invasion of privacy.  Data protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as Highly Restricted. 

Storage of Data

Storage of data is relevant to data classification. (see above).  Never store or share University Internal, Restricted, or Highly Restricted Data on personally owned devices.

University-Internal Data Storage

Data used internally in university operations or with selected University appointees or partners for ISU business purposes.  Access to University Internal Data should be determined based on the job responsibilities of the employee, appointee, or partner.

This classification of data may be stored in the following locations:

• L: Drive – Departmental Network File Storage Use for institutional files that are shared by people and subgroups in your unit
• OneDrive/Office 365 – Indiana State University -ISU’s cloud-based storage.
• Email and Email Attachments
• Enterprise Administrative Systems (Banner, Argos)
• Enterprise Instructional Tools
• Institutional Computer Hard Drive- Encrypted (Laptop or Desktop)

Restricted Data Storage

Data that are sensitive or confidential and, as a result, require specific authorization for access. This classification of data may be stored in the following locations: 

• L: Drive – Departmental Network File Storage Use for institutional files that are shared by people and subgroups in your unit
• OneDrive/Office 365 – Indiana State University -ISU’s cloud-based storage
• Enterprise Administrative Systems (Banner, Argos)
• Enterprise Instructional Tools
• Institutional Computer Hard Drive- Encrypted (Laptop or Desktop)
  • NOTE: Grant/Contract-controlled data must be protected according to specific requirements set out in the governing grant or contract

Highly Restricted Data Storage

Highly confidential data that, if released, could result in criminal or civil penalties, identity theft, personal financial loss, or invasion of privacy.  Data protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as Highly Restricted. This classification of data may be stored in the following locations with appropriate sensitivity labels and access restrictions applied. Data owner (or documented delegated handler) is responsible for proper classification, access controls, and data lifecycle activities such as retention limits, and proper destruction at the end of the data life cycle.

• L: Drive – Departmental Network File Storage Use for institutional files that are shared by people and subgroups in your unit – access controls and reviews should be in place and maintained
• OneDrive/Office 365 – Indiana State University -ISU’s cloud-based storage
• Enterprise Administrative Systems (Banner, Argos)
• Enterprise Instructional Tools
• Institutional Computer Hard Drive- Encrypted (Laptop or Desktop)
  • NOTE: Grant/Contract-controlled data must be protected according to specific requirements set out in the governing grant or contract

Access and Handling of Data

All ISU employees are responsible for handling institutional data properly based on its classification.  Data handling includes all activities associated with the creation, storage, transmission, printing, backup, retention, disposal, and publication of ISU data. 

• Access- Access to data other than public data shall be accomplished through the use of usernames (ID) and passwords. Elements used to control access to data (like IDs and passwords) are not to be shared with other employees. As noted above, data dissemination is driven by 1) the classification of the data, and 2) the need to know. 
• Supervision of Students- Students who access ISU data other than public data will be supervised by full-time ISU personnel; student and student employee access to data other than public data shall be the responsibility of the full-time employee responsible for supervision of the student or student employee. Students and student employees are required to complete appropriate training in order to have access to non-public University Data.
• Data Handling and Use-Users of institutional data must:
  • Access data only related to their conduct of university business, and in ways consistent with furthering the University’s mission of education, research, and public service
  • Respect the confidentiality and privacy of individuals whose records they may access
  • Observe any ethical or legal restrictions that apply to the data to which they have access
  • Abide by applicable laws, regulations, standards, and policies with respect to access, use, disclosure, retention, and/or disposal of information

Users of institutional data must not:

• Disclose data to others except as required by their job responsibilities
• Use data for their own or others’ personal gain or profit, except as allowed by ISU Policy, including  Policy 370 Intellectual Property.
• Access data to satisfy personal curiosity.