1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3433: Data Classification and Security Policy

Policies

Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Data Classification and Security Policy

Chapter 3433
Issued August 24, 2009; Revised January 9, 2023

Table of Contents

.010 Purpose
.020 Scope
.030 Effective Date
.040 Authority
.050 Policy
.052 Data Classification Schema
.054 Data Security Standards
.056 Contracts with Third Parties
.060 Definitions
.070 Roles and Responsibilities
.090 Related Laws, Regulations, or Policies
.100 Questions/Waivers

.010 Purpose

Data and information are important assets of the university and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.

.020 Scope

This policy applies to all university colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization associated with the University that uses university information technology resources to create, access, store, or manage University Data to perform their business functions. It also applies to any third party vendor creating, storing, or maintaining University Data per a contractual agreement.

.030 Effective Date

This policy became effective on February 2, 2009

All new systems designed and implemented after September 1, 2009, must comply with the security standards in section .054 below. Data stewards must have a compliance plan for all systems with confidential data by January 1, 2011.

.040 Authority

The State of Kansas, ITEC Information Technology Security Standards Policy 7230A, Section 11 Data Protection Standard (PDF), requires state agencies, including Regents' institutions, to employ mechanism(s) to ensure the confidentiality, availability, and integrity of Restricted-Use Information.

.050 Policy

All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. This policy applies to data in all formats or media.

.052 Data Classification Schema

Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise; data with lower risk require proportionately less protection. Three levels of data classification will be used to classify University Data based on how the data are used, its sensitivity to unauthorized disclosure, and requirements imposed by external agencies.

Data are typically stored in aggregate form in databases, tables, or files. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. For example, a student information system will contain a student's directory information as well as their social security number. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.

K-State Data Classifications
  1. Public - Data explicitly or implicitly approved for distribution to the public without restriction. It can be freely distributed without potential harm to the University, affiliates, or individuals. Public data generally have a very low sensitivity since by definition there is no such thing as unauthorized disclosure, but it still warrants protection since the integrity of the data can be important. Examples include:
    1. K-State's public web site.
    2. Directory information for students, faculty, and staff except for those who have requested non-disclosure (e.g., per the Family Educational Rights and Privacy Act (FERPA) for students).
    3. Course descriptions.
    4. Semester course schedules.
    5. Press releases.
  2. Internal - Data intended for internal University business use only with access restricted to a specific workgroup, department, group of individuals, or affiliates with a legitimate need. Internal data are generally not made available to parties outside the K-State community. Unauthorized disclosure could adversely impact the University, affiliates, or individuals. Internal data generally have a low to moderate sensitivity. Examples include:
    1. Financial accounting data that does not contain confidential information.
    2. Departmental intranet.
    3. Information technology transaction logs.
    4. Employee ID number ("W0...").
    5. Student educational records.
    6. Directory information.
  3. Confidential- Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. Unauthorized disclosure could have a serious adverse impact on the business or research functions of the University or affiliates, the personal privacy of individuals, or on compliance with federal or state laws and regulations or University contracts. Confidential data have a very high level of sensitivity. Examples include:
    1. Social Security Number.
    2. Student ID number (if it is the same as the Social Security Number).
    3. Credit card number.
    4. Personal identity information (PII). K.S.A. § 21-6107: Crimes involving violations of personal rights defines PII as including, but not limited to: an individual's name; date of birth; address; telephone number; driver's license number or card or nondriver's identification number or card; social security number or card; place of employment; employee identification numbers or other personal identification numbers or cards; mother's maiden name; birth, death or marriage certificates; electronic identification numbers; electronic signatures; and any financial number, or password that can be used to access a person's financial resources, including, but not limited to, checking or savings accounts, credit or debit card information, demand deposit or medical information. For K-State's purposes, PII also includes ones name in combination with a passport number.
    5. Passport number.
    6. Personnel records.
    7. Medical records.
    8. Authentication tokens (e.g., personal digital certificates, passwords, biometric data).
  4. Proprietary Data - Classification of data provided to or created and maintained by K-State on behalf of a third party, such as a corporation or government agency, will vary depending on contractual agreements and/or relevant laws or regulations. The classification and security standards for proprietary data owned by the third party will be defined by the third party. Proprietary data owned by K-State must be classified and protected according to K-State's data classification policy and security standards. Individuals managing or accessing proprietary data are responsible for complying with any additional requirements and security policies and procedures specified by the third-party owner. Proprietary data include data classified by the federal government as Classified National Security Information (confidential, secret, top secret).

.054 Data Security Standards

The following table defines required safeguards for protecting data and data collections based on their classification. Data security requirements for Proprietary Data are determined by the contracting agency and are therefore not included in the table below.

In addition to the following data security standards, any data covered by federal or state laws or regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.

Security Control CategoryData Classification
PublicInternalConfidential
Access Controls
  • No restriction for viewing.
  • Authorization by Data Steward or designee required for modification; supervisor approval also required if not a self-service function.
  • Viewing and modification restricted to authorized individuals as needed for business-related roles.
  • Data Steward or designee grants permission for access, plus approval from supervisor.
  • Authentication and authorization required for access
  • Viewing and modification restricted to authorized individuals as needed for business-related roles.
  • Data Steward or designee grants permission for access, plus approval from supervisor.
  • Authentication and authorization required for access.
  • Confidentiality agreement required.
Copying/Printing (applies to both paper and electronic forms)
  • No restrictions.
  • Data should only be printed when there is a legitimate need.
  • Copies must be limited to individuals with a need to know.
  • Data should not be left unattended on a printer.
  • Data should only be printed when there is a legitimate need.
  • Copies must be limited to individuals authorized to access the data and have signed a confidentiality agreement.
  • Data should not be left unattended on a printer.
  • Copies must be labeled "Confidential".
Network Security
  • May reside on a public network.
  • Protection with a firewall recommended.
  • IDS/IPS protection recommended.
  • Protection only with router ACLs acceptable.
  • Protection with a network firewall required.
  • IDS/IPS protection required.
  • Protection with router ACLs optional.
  • Servers hosting the data should not be visible to entire Internet.
  • May be in a shared network server subnet with a common firewall ruleset for the set of servers.
  • Protection with a network firewall using "default deny" ruleset required.
  • IDS/IPS protection required.
  • Protection with router ACLs optional.
  • Servers hosting the data cannot be visible to the entire Internet, nor to unprotected subnets like the residence halls and guest wireless networks.
  • Must have a firewall ruleset dedicated to the system.
  • The firewall ruleset should be reviewed periodically by an external auditor.
System Security
  • Must follow general best practices for system management and security.
  • Host-based software firewall recommended.
  • Must follow University-specific and OS-specific best practices for system management and security.
  • Host-based software firewall required.
  • Host-based software IDS/IPS recommended
  • Must follow University-specific and OS-specific best practices for system management and security.
  • Host-based software firewall required.
  • Host-based software IDS/IPS recommended.
Virtual Environments
  • May be hosted in a virtual server environment.
  • All other security controls apply to both the host and the guest virtual machines.
  • May be hosted in a virtual server environment.
  • All other security controls apply to both the host and the guest virtual machines.
  • Should not share the same virtual host environment with guest virtual servers of other security classifications.
  • May be hosted in a virtual server environment.
  • All other security controls apply to both the host and the guest virtual machines.
  • Cannot share the same virtual host environment with guest virtual servers of other security classifications.
Physical Security
  • System must be locked or logged out when unattended.
  • Host-based software firewall recommended.
  • System must be locked or logged out when unattended.
  • Hosted in a secure location required; a Secure Data Center is recommended.
  • System must be locked or logged out when unattended.
  • Hosted in a Secure Data Center required.
  • Physical access must be monitored, logged, and limited to authorized individuals 24x7.
Remote Access to systems hosting the data
  • No restrictions.
  • Access restricted to local network or general K-State Virtual Private Network (VPN) service.
  • Remote access by third party for technical support limited to authenticated, temporary access via direct dial-in modem or secure protocols over the Internet.
  • Restricted to local network or secure VPN group.
  • Unsupervised remote access by third party for technical support not allowed.
  • Two-factor authentication recommended.
Data Storage
  • Storage on a secure server recommended.
  • Storage in a secure Data Center recommended.
  • Storage on a secure server recommended.
  • Storage in a secure Data Center recommended.
  • Should not store on an individual's workstation or a mobile device.
  • Storage on a secure server required.
  • Storage in Secure Data Center required.
  • Should not store on an individual workstation or mobile device (e.g., a laptop computer); if stored on a workstation or mobile device, must use whole-disk encryption.
  • Encryption on backup media required.
  • AES Encryption required with 192-bit or longer key.
  • Paper/hard copy: do not leave unattended where others may see it; store in a secure location.
Transmission
  • No restrictions.
  • No requirements
  • Encryption required (e.g., via SSL or secure file transfer protocols).
  • Cannot transmit via email unless encrypted and secured with a digital signature.
Backup/Disaster Recovery
  • Backups required; daily backups recommended.
  • Daily backups required.
  • Off-site storage recommended.
  • Daily backups required.
  • Off-site storage in a secure location required.
Media Sanitization and Disposal (hard drives, CDs, DVDs, tapes, paper, etc.)
Training
  • General security awareness training recommended.
  • System administration training recommended.
  • General security awareness training required.
  • System administration training required.
  • Data security training required.
  • General security awareness training required.
  • System administration training required.
  • System administrators hired after Sept. 1, 2008, must pass a criminal background check.
  • Data security training required.
  • Applicable policy and regulation training required.
Audit Schedule
  • As needed.
  • As needed.
  • Annual

.056 Contracts with Third Parties

Contracts between the University and third parties involving University Data must include language requiring compliance with all applicable laws, regulations, and University policies related to data and information security; immediate notification of the University if University Data is used or disclosed in any manner other than allowed by the contract; and, to the extent practicable, mitigate any harmful effect of such use or disclosure.

.060 Definitions

ACL
Access Control List; a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall but with less functionality.

Authentication
Process of verifying one's digital identity. For example, when someone logs into Webmail, the password verifies that the person logging in is the owner of the eID. The verification process is called authentication.

Authorization
Granting access to resources only to those authorized to use them.

Availability
Ensures timely and reliable access to and use of information.

Classified National Security Information
Information that has been determined by the federal government to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form. There are three classifications - confidential, secret, and top secret (see White House Press Release: Classified National Security Information).

Confidentiality
Preserves authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Firewall
A specialized hardware and/or software system with stateful packet inspection that filters network traffic to control access to a resource, such as a database server, and thereby provide protection and enforce security policies. A router with ACLs is not considered a firewall for the purposes of this document.

IDS
Intrusion Detection System; a system that monitors network traffic to detect potential security intrusions. Normally, the suspected intrusions are logged and an alert generated to notify security or system administration personnel.

Integrity
Guards against improper modification or destruction of information, and ensures non-repudiation and authenticity.

IPS
Intrusion Prevention System; an IDS with the added ability to block malicious network traffic to prevent or stop a security event.

Local Network
Any segment of K-State's data network physically located on the Manhattan or Salina campus with an IP address starting with 129.130.X.X or an un-routable private IP address (e.g., 10.X.X.X).

Remote Access
Accessing any K-State's local network from any physical location outside the Manhattan or Salina campus. This includes access from off campus using K-State's VPN service.

Secure Data Center
A facility managed by full-time IT professionals for hosting computer, data storage, and/or network equipment with 24x7 auditable restricted access, environmental controls, power protection, and network firewall protection.

Secure Server
a computer that provides services to other computers, applications, or users; is running a server operating system; and is hardened according to relevant security standards, industry best practices, and K-State security policies.

Sensitivity
Indicates the required level of protection from unauthorized disclosure, modification, fraud, waste, or abuse due to potential adverse impact on an individual, group, institution, or affiliate. Adverse impact could be financial, legal, or on one's reputation or competitive position. The more sensitive the data, the greater the need to protect it.

University Data
Any data related to Kansas State University ("University") functions that are:
  1. Stored on University information technology systems.
  2. Maintained by K-State faculty staff, or students.
  3. Related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
VPN
Virtual Private Network; a VPN provides a secure communication channel over the Internet that requires authentication to set up the channel and encrypts all traffic flowing through the channel.

.070 Roles and Responsibilities

Everyone with any level of access to University Data has responsibility for its security and is expected to observe requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data in any type of reporting function. The following roles have specific responsibilities for protecting and managing University Data and Data Collections.

  1. Chief Data Steward - Senior administrative officers of the university responsible for overseeing all information resources (e.g., the Provost and Vice Presidents).
  2. Data Steward - Deans, associate vice presidents, and heads of academic, administrative, or affiliated units or their designees with responsibility for overseeing a collection (set) of University Data. They are in effect the owners of the data and therefore ultimately responsible for its proper handling and protection. Data Stewards are responsible for ensuring the proper classification of data and data collections under their control, granting data access permissions, appointing Data Managers for each University Data collection, making sure people in data-related roles are properly trained, and ensuring compliance with all relevant polices and security requirements for all data for which they have responsibility.
  3. Data Stewards Council - A group of Data Stewards appointed by the Chief Data Stewards and Chief Information Officer to maintain the data classification schema, define University Data collections, assign a Data Steward to each, and resolve data classification or ownership disputes.
  4. Data Manager - Individuals authorized by a Data Steward to provide operational management of a University Data collection. The Data Manager will maintain documentation pertaining to the data collection (including the list of those authorized to access the data and access audit trails where required), manage data access controls, and ensure security requirements are implemented and followed.
  5. Data Processor - Individuals authorized by the Data Steward or designee and enabled by the Data Manager to enter, modify, or delete University Data. Data Processors are accountable for the completeness, accuracy, and timeliness of data assigned to them.
  6. Data Viewer - Anyone in the university community with the capacity to access University Data but is not authorized to enter, modify, or delete it.
  7. Chief Information Security Officer - Provides advice and guidance on information and information technology security policies and standards.
  8. Internal Audit Office - Performs audits for compliance with data classification and security policy and standards.
Kansas State University Policies
  1. Collection, Use, and Protection of Social Security Numbers
  2. University Research Compliance Office for information on export controls, confidential/sensitive research data, human subjects, etc.
  3. Security for Information, Computing, and Network Resources
State of Kansas
  1. K.S.A. § 21-6107: Crimes involving violations of personal rights 
  2. State of Kansas, ITEC Information Technology Security Standards Policy 7320A (PDF). These do not directly apply to K-State, but offer good guidelines for data security controls and represent minimum standards required of non-Regents state agencies.
  3. State of Kansas, ITEC Information Technology Policy 8010a - Data Review Board Standards
Federal Legislation and Guidelines
  1. Family Educational Rights and Privacy Act of 1974 (FERPA)
  2. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  3. Gramm-Leach-Bliley Act (GLBA)
  4. Electronic Communications Privacy Act of 1986 (ECPA)
  5. NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization 
  6. NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
  7. NIST Publication 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories
  8. Executive Order 12958: Classified National Security Information, As Amended, March 2003
Other

.100 Questions/Waivers

The Vice President for Information Technology and Chief Information Officer (CIO) is responsible for this policy. The CIO or designee must approve any exception to this policy or related procedures. Questions should be directed to the Chief Information Security Officer (CISO).