IS-1014 Data Classification and Handling (Policy)
Communications
Release Date: 10/21/09
Administrative Directive
Summary
This administrative directive identifies CNM's critical data/information, gives assistance to properly classify data, and provides requirements for the proper handling of College data. It includes all data produced, collected or used by CNM employees or consultants during the course of College business.
Applicability
This administrative directive is applicable to all individuals who handle CNM data/information. Every user of any of CNM's information resources and systems has responsibility toward the protection of the College's data/information; certain offices and individuals have very specific responsibilities.
1. Purpose
The purpose of this administrative directive is to (a) identify the different types of CNM information/data, giving examples of each data classification type, (b) provide assistance with the selection of the appropriate data classification, and (c) facilitate the appropriate handling of College data.
2. Background
CNM takes seriously its commitment to respect and protect the privacy of its students, alumni, and employees, as well as to protect the confidentiality of information important to the College. For that reason, CNM has identified three categories of data: Restricted, Sensitive, and Public. The categories are described in the table within Section 4 below.
3. Handling of Data
Always consider who will have access to data when storing or sending/transmitting data via email, particularly when the data will leave CNM's network. Also, before storing data on portable media devices (i.e., flash drives…) consider the protection/control of the data, particularly if it is classified restricted or sensitive. If you are ever in doubt, ask your manager/supervisor or the Office of Planning, Budget and Institutional Research, serving as CNM's Data Steward.
Note that the Office of Planning, Budget and Institutional Research is responsible for approving the release of any data/information outside the College. However, all information that is requested under the "Inspection of Business Records Act" will be submitted and approved by the VP for Administrative Services, serving in the role of Records Custodian for CNM
4. Classification of Data
The following is not intended to be an all-inclusive list. If in doubt, ask your manager/supervisor or CNM's "Data Steward", the Office of Planning, Budget and Institutional Research at 224-3450.
Restricted |
Sensitive |
Public |
||
Regulation/Legal Requirements |
Protection of data is required by regulation (e.g., FERPA, Privacy Law, FTC Red Flag Rules, PCI- DSS) |
Protection of data is dictated by CNM |
Protection of data is at the discretion of the owner or custodian |
|
Potential Loss Impact |
High |
Medium |
Low |
|
Threats |
Severe, not recoverable, affects the entire College Threat to:
|
Inconvenient, but recoverable, affects some functions of the College |
Brief inconvenience, can recover quickly, might not be noticeable, affects a few people |
|
Description |
Information which provides access to resources, physical or virtual |
Smaller subsets of protected data from a school or department |
General College information |
|
Authorized Access |
Only those individuals designated with approved access, signed non-disclosure agreements, and required training |
CNM employees and non-employees who have a business need to know |
CNM affiliates and general public with a need to know |
|
Examples |
|
|
||
5. Applicable Regulations (not designed to be an all-inclusive list
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Electronic Communication Privacy Act of 1986 (ECPA)
- FTC (Federal Trade Commission) Red Flag Rules
- Gramm-Leach-Bliley Act of 1999 (GLBA) Text
- New Mexico's Inspection of Public Records Act (Section 14-2-1 NMSA 1978)
- Confidential Materials Act (Section 14-3(A)-2 NMSA 1978)
Forms:
Not Applicable
Support Materials:
Not Applicable
Reference Materials:
Not Applicable