|Policy Title||Data Risk Classification Policy|
|Office/Unit||ITS/Finance & Administration|
September 20, 2017
|Approved by||President's Cabinet|
September 20, 2017
|Purpose||The State University of New York at Fredonia ("Fredonia") is committed to the confidentiality, integrity, and availability of information important to the University’s mission. All University data must be classified into one of three categories described in this policy and protected using the appropriate security measures consistent with the minimum standards for the classification category as described in related information/data security policies.|
|Applies To||This policy applies to all members of the university community, as well as to 3rd parties who handle university data.|
Fredonia has classified its physical and electronic data into three risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it. This policy facilitates applying the appropriate security controls to university data, and assists data owners in determining the level of security required to protect data on the systems for which they are responsible.
Please note that the following Data Risk Classification Categories and Risk from Disclosure levels use the Federal Information Processing Standards (FIPS) 199. The Minimum Security Standards use the NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations.
All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification, data owners, trustees, custodians, and users are required to implement the appropriate minimum security standards set forth by the Information Security Committee for protecting the data. The standard for protecting the data becomes more stringent as the risk from disclosure increases.
Compliance with the Data Risk Classification Policy and the corresponding minimum security standards should be incorporated into business processes to ensure data is properly secured. Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to respective minimum security standards.
|Enforcement||The authority for the policy comes from the Associate Vice President of Information Technology & Chief Information Officer and Vice President of Finance and Administration.|
Content by label
There is no content with the specified labels