I.D.2. Information Classification & Risk Managemen 

ADMINISTRATIVE POLICY TYPE: ADMINISTRATION

POLICY TITLE: Information Classification and Risk Management

OBJECTIVE

In order to properly and cost-effectively protect information, the college will undertake the steps outlined below to identify information, its value to the organization, and risks related to its management to determine the appropriate means and levels of protection.

TERMS AND DEFINITIONS

For the purposes of this document, the following terms and definitions apply:

Data Custodian
A staff member to whom a data owner may delegate responsibilities to maintain the day-to-day operations of a system using the approved safeguards as defined by the data owner.

Data Owner
The manager of a department or division who is responsible for the proper safeguarding and access to data contained on a system.

Information Asset
A computer or system that stores or disseminates information.

User
A person who is authorized by the data owner to access data.

POLICY

I. Responsibility

All employees are responsible for the protection of college information from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. To facilitate the protection of this information, three levels of employee responsibilities have been established: data owner, data custodian, and user.

Data owners have the responsibility to:
  • Conduct the risk assessment and data classification of information assets according to this policy.
  • Provide safeguards to ensure compliance.
  • Authorize access to those who have a business need for the information.
  • Revoke the access when no longer needed.

These responsibilities may be delegated to a data custodian, but accountability remains with the data owner.

Data custodians are trained staff members who are responsible for maintaining the safeguards established by the owner.

Users are people authorized by the data owner to access information and follow the safeguards established by the data owner.

The Chief Information Officer is responsible for the classification and risk assessment process and general oversight to ensure that this policy is consistently applied across the college.

II. Information Asset Classification

College information assets will be classified according to sensitivity and value/criticality using standard and consistent classifications. Information assets will be identified, described and classified in accordance with the following requirements:  

A. Information Identification

The contents, fields or attributes of the information assets and the associated systems must be defined so that the information assets may be clearly classified into an information classification category.

B. Information Ownership

All information assets must have a designated data owner identified by name. Records must be maintained so as to provide a complete and uninterrupted history of ownership over the life of the asset.

C. Classification of Information

Data owners must classify information assets in accordance with the classifications provided in the Data Classification Matrix. The classification assigned to the information assets must reflect a class that is at least equivalent to the most sensitive data element. For example, an application that contains both operational and confidential data must be assigned a classification of confidential. Information assets may be assigned a classification that is higher than that of any individual element in situations where the composite value of the asset is determined to be greater than the value of any of the constituent parts.

D. Value/Impact Assessment

The data owner must determine the potential adverse impact (e.g. cost or loss) to both the business unit and the college that could result from the unauthorized disclosure, access, modification, or destruction of the information assets using the categories provided in the Impact Assessment Matrix.

Table II.D.1:  Data Classification Matrix

CLASS
 DEFINITIONEXAMPLE 
 ConfidentialAssets for which unauthorized disclosure, access, modification, or destruction, whether the result of inadvertent or deliberate actions, could have legal, statutory, or regulatory repercussions. Very strict rules must be adhered to in the usage of this data. Data integrity is vital.
  • Financial information
  • Employee records
  • Personal health information
  • Student academic records
 Operational
Assets for which unauthorized disclosure, access, modification, or destruction, whether the result of inadvertent or deliberate actions, could have a negative impact to the college’s reputation or loss of intellectual property. Internal access is selective. Data integrity is vital.

  • Policy or process documentation
  • Purchase plans
  • Instructional material
  • Student schedules
  • Most operational communications such as email and instant messaging.
PublicData on these systems could be made public without any implications to the college.
  • Public marketing materials
  • Employment advertising
  • Information which has been approved for public disclosure by college administration


Table II.D.2:  Impact Assessment Matrix

TYPE OF IMPACT
DESCRIPTION
Loss/FraudThe potential for financial loss from unauthorized access to an application, data, or system.
Direct value
The value of the information measured by the college’s direct expense required for its creation, storage, and manipulation.
College image impact
The value of the college’s image as reflected by the loyalty and trust of its customers.
Operational impact
The extent to which the loss of the information or its integrity impacts management decisions, system operations, or business functions. The impact also includes the costs of correcting mistakes so that they do not recur and the costs of recreating the information.
Competitive value
The value of the information to competitors of the college, including the amount of income, business, or market share that could be lost if they obtained the information.
Compliance impact
The extent to which regulatory agencies or governing bodies mandate retention and integrity of the information.


III. Risk Assessment

Risk assessments will be performed on all new applications prior to being introduced into the college production environment. Risk assessments for existing or legacy applications will be performed based on the amount of risk and value the information assets provide to the business and/or to address legal or regulatory obligations.

Risks to college information assets will be determined by documenting the following:

  • Information asset description and classification.
  • Threat identification of internal and external threats to those information assets (e.g. theft, compromise, physical destruction etc.).
  • Vulnerabilities and the likelihood that a given threat is likely to affect an information system or asset.

Security measures, both technical and procedural, will be implemented to manage risk to college information assets as required by college’s information security charter and determined by this risk assessment.

IV. Disciplinary Action

Exceptions to this policy must have prior authorization from the Executive Team. Any violations of this policy may result in disciplinary action.


Related Policies:
Administrative Policy I.C
Administrative Policy I.D



Adopted: 04/23/09
Reorganized: xx/xx/xx
Reviewed: xx/xx/xx
Revised: xx/xx/xx

Appleton Campus photo

   Maintained by:

   Sarah Bingham

   Last Modified:
   8/12/2011 2:45:16 PM