Data ClassificationSkip to content Skip to main navigation
Teachers College Policy Library
Owner: Computing & Information Services
URL: http://www.tc.columbia.edu/policylibrary/Data Classification
The following policy has been reviewed and vetted by the Teachers College Information Security Advisory Committee (TC-ISAC) and approved jointly by Thomas James, Provost and Harvey Spector, Vice President Finance and Administration. It represents the environment that Teachers College strives to maintain and is being initially implemented in a transition phase. During this phase, the TC community is expected to seek assistance from and cooperate with the Director of Information Security, the Chief Information Security Officer, in developing the understanding and processes for your area in support of this objective.
Dr. Vincent Orrico
The first step in establishing the safeguards that are required for particular types of Data is to determine the level of sensitivity applicable to particular Data. Data classification is a method of assigning such levels and thereby determining the extent to which the Data needs to be controlled and secured.
As indicated in the Teachers College, Columbia University Information Security Charter (the “Charter”)any person who uses, stores or transmits Data (as defined in the Charter) has a responsibility to maintain and safeguard such Data in accordance with the College’s policies and applicable law.
Capitalized terms used in this Policy without definition are defined in the Charter.
3.1 General Statement
Data security measures must be implemented commensurate with the sensitivity of the Data and the risk to the College if Data is compromised. It is the responsibility of the applicable Data Stewards to evaluate and classify, with support from the CISO, the Data for which they are responsible according to the classification system adopted by the College and described below. If Data of more than one level of sensitivity exists in the same System or Endpoint, such Data shall be classified at the highest level of sensitivity.
3.2 Specific Requirements
3.2.1 Data Classification
The College has adopted the following four classifications of Data:
- Sensitive Data: any information protected by federal, state or local laws and regulations or industry standards, such as FERPA, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS, or Personally Identifiable Information (PII). This category also includes privileged information, such as communications and related documents (a) reflecting communications between psychologists, counselors, and similar professionals and their patients or clients and (b) subject to the attorney-client privilege and work-product protection.
For purposes of this Policy and the other Information Security Policies, Regulated and PII Data include, but are not limited to:
Personally Identifiable Information (PII): any information about an individual that (a) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (b) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual and (c) is protected by federal, state or local laws and regulation or industry standards.
Examples of Sensitive Data can be found in Appendix A of this document.
2. Confidential Data: information that is protected as confidential by law or by contract and any other information that is considered by the College appropriate for confidential treatment.
For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:
- Student education records that are directly related to prior, current and prospective College students and maintained by Teachers College or an entity acting on Teachers College’s behalf. (The College’s FERPA policy specifies the covered records and important exception.) Student Records and Family Education Rights and Privacy Act (FERPA) Statement
- Human resources information, such as salary and employee benefits information
- Non-public personal and financial data about donors
- Information received under grants and contracts subject to confidentiality requirements
- Law enforcement or court records and confidential investigation records
- Citizen or immigrations status
- Unpublished research data
- Unpublished College financial information, strategic plans and real estate or facility development plans
- Information on facilities security systems or system configurations related to information security
- Nonpublic intellectual property, including invention disclosures and patent applications
- Applicant financial information.
3. Internal Data: any information that is proprietary or produced only for use by members of the College community who have a legitimate purpose to access such data.
For purposes of this Policy and the other Information Security Policies, Internal Data include, but are not limited to:
- Internal operating procedures and operational manuals
- Internal memoranda, emails, reports and other documents
- Technical documents such as system configurations and floor plans.
4. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use.
For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to data which was intended to be widely available and was not made public through a violation of policy, contract or law. Examples include:
- General access data on www.tc.columbia.edu
- College financial statements and other reports filed with federal or state governments that are generally available to the public
- Student information intended for the public, such as the lists of degrees recipients.
3.2.2 Protection of Data
The protection requirements applicable to each classification of Data can be found in the Teachers College Registration and Protection of Systems Policy
4. Related Policies
The Information Security Policies referred to in this Policy are as follows:
5. Ownership and Responsibilities
The ownership of the policy and the maintenance of its revisions rest with Computing and Information Services (CIS).
It is the responsibility of all the users of Teachers College systems, organizations or individuals with access to Teachers College networks, to establish and conform to the security measures outline in this policy.
Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access and (b) mandatory attendance at additional training as a condition of continued use of computer accounts and network access. Subject to the College’s other rules of conduct and disciplinary procedures, significant violations may also result in (c) a letter to the individual’s personnel or student file; (d) administrative leave without pay; (e) other sanctions, up to and including termination or non-renewal of employment, faculty appointment or student status. Violations of the Information Security Policies may also result in civil or criminal liability under state, federal or international laws.
See the Definitions section of the Information Security Charter
Appendix A – Examples of Sensitive Data
Examples of PII include, but are not limited to, any information concerning a natural person that can be used to identify such natural person, such as name, number, personal mark or other identifier, in combination with any one or more of the following:
- Social security number
- Driver’s license number or non-driver identification card number
- Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
- Email address with password (in certain narrow instances)
Published: September 1, 2014