Data Classification and Security Policy
Issued August 24, 2009
Table of Contents
.030 Effective Date
Data and information are important assets of the university and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.
This policy applies to all university colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization associated with the University that uses university information technology resources to create, access, store, or manage University Data to perform their business functions. It also applies to any third party vendor creating, storing, or maintaining University Data per a contractual agreement.
This policy became effective on February 2, 2009
All new systems designed and implemented after September 1, 2009, must comply with the security standards in section .054 below. Data stewards must have a compliance plan for all systems with confidential data by January 1, 2011.
The state of Kansas ITEC Information Technology Policy 8000 - Data Administration Program www.da.ks.gov/itec/Documents/ITECITPolicy8000.htm requires state agencies, including Regents' institutions, to "develop, implement, and maintain an Agency Data Administration Program" that incorporates data polices with appropriate security controls.
All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. This policy applies to data in all formats or media.
Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise; data with lower risk require proportionately less protection. Three levels of data classification will be used to classify University Data based on how the data are used, its sensitivity to unauthorized disclosure, and requirements imposed by external agencies.
Data are typically stored in aggregate form in databases, tables, or files. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. For example, a student information system will contain a student's directory information as well as their social security number. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
K-State Data Classifications:
Public - Data explicitly or implicitly approved for distribution to the public without restriction. It can be freely distributed without potential harm to the University, affiliates, or individuals. Public data generally have a very low sensitivity since by definition there is no such thing as unauthorized disclosure, but it still warrants protection since the integrity of the data can be important. Examples include:
K-State's public web site
Directory information for students, faculty, and staff except for those who have requested non-disclosure (for example, per FERPA (Family Educational Rights and Privacy Act - see for students)
Semester course schedules
Semester course schedules
Internal - Data intended for internal University business use only with access restricted to a specific workgroup, department, group of individuals, or affiliates with a legitimate need. Internal data are generally not made available to parties outside the K-State community. Unauthorized disclosure could adversely impact the University, affiliates, or individuals. Internal data generally have a low to moderate sensitivity. Examples include:
Financial accounting data that does not contain confidential information
Information technology transaction logs
Employee ID number ("W0...")
Student educational records
Directory information for students, faculty, and staff who have requested non-disclosure (for example, per FERPA for students)
Confidential - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. Unauthorized disclosure could have a serious adverse impact on the business or research functions of the University or affiliates, the personal privacy of individuals, or on compliance with federal or state laws and regulations or University contracts. Confidential data have a very high level of sensitivity. Examples include:
Social Security Number
Student ID number (if it is the same as the Social Security Number)
Credit card number
Personal identity information (PII). Kansas Senate Bill 196 http://www.kslegislature.org/bills/2006/196.pdf defines PII as: An individual's name (first name and last name, or first initial and last name) in combination with one or more of the following: a) Social security number, b) driver's license number or state identification card number, or c) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account. For K-State's purposes, PII also includes ones name in combination with a passport number.
Authentication tokens (e.g., personal digital certificates, passwords, biometric data)
Proprietary Data - Classification of data provided to or created and maintained by K-State on behalf of a third party, such as a corporation or government agency, will vary depending on contractual agreements and/or relevant laws or regulations. The classification and security standards for proprietary data owned by the third party will be defined by the third party. Proprietary data owned by K-State must be classified and protected according to K-State's data classification policy and security standards. Individuals managing or accessing proprietary data are responsible for complying with any additional requirements and security policies and procedures specified by the third party owner. Proprietary data include data classified by the federal government as Classified National Security Information (confidential, secret, top secret).
The following table defines required safeguards for protecting data and data collections based on their classification. Data security requirements for Proprietary Data are determined by the contracting agency and are therefore not included in the table below.
In addition to the following data security standards, any data covered by federal or state laws or regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.
|Copying/Printing (applies to both paper and electronic forms)|
|Remote Access to systems hosting the data|
|Media Sanitization and Disposal (hard drives, CDs, DVDs, tapes, paper, etc.)|
Note: the table above is adapted from the University of Missouri-Columbia Information & Access Technology Services data classification system:http://iatservices.missouri.edu/security/data-classification/
Contracts between the University and third parties involving University Data must include language requiring compliance with all applicable laws, regulations, and University policies related to data and information security; immediate notification of the University if University Data is used or disclosed in any manner other than allowed by the contract; and, to the extent practicable, mitigate any harmful effect of such use or disclosure.
ACL - Access Control List; a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall but with less functionality.
Authentication - Process of verifying one's digital identity. For example, when someone logs into Webmail, the password verifies that the person logging in is the owner of the eID. The verification process is called authentication.
Authorization - Granting access to resources only to those authorized to use them.
Availability - Ensures timely and reliable access to and use of information.
Classified National Security Information - Information that has been determined by the federal government to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form. There are three classifications - confidential, secret, and top secret (see http://www.fas.org/irp/offdocs/eo12958.htm).
Confidentiality - Preserves authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Firewall - A specialized hardware and/or software system with stateful packet inspection that filters network traffic to control access to a resource, such as a database server, and thereby provide protection and enforce security policies. A router with ACLs is not considered a firewall for the purposes of this document.
IDS - Intrusion Detection System; a system that monitors network traffic to detect potential security intrusions. Normally, the suspected intrusions are logged and an alert generated to notify security or system administration personnel.
Integrity - Guards against improper modification or destruction of information, and ensures non-repudiation and authenticity.
IPS - Intrusion Prevention System; an IDS with the added ability to block malicious network traffic to prevent or stop a security event.
Local Network - Any segment of K-State's data network physically located on the Manhattan or Salina campus with an IP address starting with 129.130.X.X or an un-routable private IP address (e.g., 10.X.X.X).
Remote Access - Accessing any K-State's local network from any physical location outside the Manhattan or Salina campus. This includes access from off campus using K-State's VPN service.
Secure Data Center - A facility managed by full-time IT professionals for hosting computer, data storage, and/or network equipment with 24x7 auditable restricted access, environmental controls, power protection, and network firewall protection.
Secure Server - a computer that provides services to other computers, applications, or users; is running a server operating system; and is hardened according to relevant security standards, industry best practices, and K-State security policies.
Sensitivity - Indicates the required level of protection from unauthorized disclosure, modification, fraud, waste, or abuse due to potential adverse impact on an individual, group, institution, or affiliate. Adverse impact could be financial, legal, or on one's reputation or competitive position. The more sensitive the data, the greater the need to protect it.
University Data - Any data related to Kansas State University ("University") functions that are a) stored on University information technology systems, b) maintained by K-State faculty staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
VPN - Virtual Private Network; a VPN provides a secure communication channel over the Internet that requires authentication to set up the channel and encrypts all traffic flowing through the channel.
Everyone with any level of access to University Data has responsibility for its security and is expected to observe requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data in any type of reporting function. The following roles have specific responsibilities for protecting and managing University Data and Data Collections.
Chief Data Steward - Senior administrative officers of the university responsible for overseeing all information resources (e.g., the Provost and Vice Presidents).
Data Steward - Deans, associate vice presidents, and heads of academic, administrative, or affiliated units or their designees with responsibility for overseeing a collection (set) of University Data. They are in effect the owners of the data and therefore ultimately responsible for its proper handling and protection. Data Stewards are responsible for ensuring the proper classification of data and data collections under their control, granting data access permissions, appointing Data Managers for each University Data collection, making sure people in data-related roles are properly trained, and ensuring compliance with all relevant polices and security requirements for all data for which they have responsibility.
Data Stewards Council - A group of Data Stewards appointed by the Chief Data Stewards and Vice Provost for Information Technology Services to maintain the data classification schema, define University Data collections, assign a Data Steward to each, and resolve data classification or ownership disputes.
Data Manager - Individuals authorized by a Data Steward to provide operational management of a University Data collection. The Data Manager will maintain documentation pertaining to the data collection (including the list of those authorized to access the data and access audit trails where required), manage data access controls, and ensure security requirements are implemented and followed.
Data Processor - Individuals authorized by the Data Steward or designee and enabled by the Data Manager to enter, modify, or delete University Data. Data Processors are accountable for the completeness, accuracy, and timeliness of data assigned to them.
Data Viewer - Anyone in the university community with the capacity to access University Data but is not authorized to enter, modify, or delete it.
Chief Information Security Officer - Provides advice and guidance on information and information technology security policies and standards.
Internal Audit Office - Performs audits for compliance with data classification and security policy and standards.
Kansas State University Policies
Collection, Use, and Protection of Social Security Numbers /policies/ppm/3495.html
University Research Compliance Office http://urco.k-state.edu for information on export controls, confidential/sensitive research data, human subjects, etc.
Security for Information, Computing, and Network Resources /policies/ppm/3430.html
State of Kansas
Senate Bill 196 on protecting personal identity information http://www.kslegislature.org/bills/2006/196.pdf,
State of Kansas Default Information Technology Security Requirements published by ITEC, March 2006http://www.da.ks.gov/itec/Documents/ITECITPolicy7230A.pdf. These do not directly apply to K-State, but offer good guidelines for data security controls and represent minimum standards required of non-Regents state agencies.
State of Kansas ITEC Information Technology Policy 8000 - Data Administration Programhttp://www.da.ks.gov/itec/Documents/ITECITPolicy8000.htm
Federal Legislation and Guidelines
Family Educational Rights and Privacy Act of 1974 (FERPA - /registrar/ferpa/index.html
Health Insurance Portability and Accountability Act of 1996 (HIPAA)http://www.hhs.gov/ocr/hipaa/
Gramm-Leach-Bliley Act (GLBA) http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
Electronic Communications Privacy Act of 1986 (ECPA) http://www.usiia.org/legis/ecpa.html
NIST Publication 800-88 "Guidelines for Media Sanitization" http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
NIST Publication 800-53 "Recommended Security Controls for Federal Information Systems" http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
NIST Publication 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories"http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf
Executive Order 12958, Classified National Security Information, As Amended, March 2003 http://www.archives.gov/isoo/policy-documents/eo-12958-amendment.html
Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
The Vice Provost for Information Technology Services is responsible for this policy. The Chief Information Security Officer is responsible for maintaining the K-State Data Security Standards.
Questions related to the policy or standards should be directed to the Chief Information Security Officer.
The Vice Provost for Information Technology Services or designee must approve any exception to this policy. The Chief Information Security Officer must approve any exceptions to the Data Security Standards.