This policy ensures that the types of information that are in use by the University are identified and classified, and establishes a formal ownership of each type.

Policy Statement

This policy ensures that the types of information that are in use by the University are identified and classified, and establishes a formal ownership of each type.

Reason for Policy

Information is a critical and valuable asset of Adelphi University and the responsibility to safeguard that information is shared by everyone who has access to it. Some of the information is sensitive in nature, and controls must be put in place to ensure that only authorized persons perform authorized operations (integrity) and that information is not disclosed without proper authorization (confidentiality). This policy ensures that the types of information that are in use by the University are identified and classified and it establishes a formal ownership of each type. The classification is used to ensure that all information is protected at appropriate levels.

Who Is Governed by this Policy

All end-user and application management accounts on computerized information systems operated by or on behalf of Adelphi University.

Policy

Classification

  1. The Information Security Officer manages the information classification and identification process.
  2. The Information Security Officer publishes standards and guidelines for classifying information.
  3. The Information Owner is responsible for the identification and classification of information assets.

Ownership

  1. All information assets must have a clearly designated Information Owner, who is responsible for making informed decisions regarding the security of the information asset (with regards to confidentiality and integrity), and possesses the authorization to do so.
  2. A directory of Information Owners will be maintained by the Chief Information Officer.
  3. The Information Owner must review the classification of the information assets for which she or he is responsible at least once per year or more often if circumstances require.
  4. The Chief Information Officer will function as an information custodian, and operate and maintain computerized information systems on behalf of Information Owners.
  5. The Chief Information Officer and the Information Owner share responsibility for identifying the information systems that are used to process the information they control.
  6. The ownership of information assets without a clearly designated owner defaults to the Chief Information Officer.

Protection

  1. Information assets must be protected in accordance with its classification by anyone who has access to it.
  2. The Information Owner is responsible for defining criteria and/or guidelines that can be used to determine if, and in which form, access to sensitive information is allowed, in accordance with its classification.
  3. Entities that are authorized to grant access to information must be appointed by the Information Owner. The appointment must include:
    1. The type of information for which the entity may grant permission
    2. The actions for which the entity may grant permission.
    3. A date or condition when the authorization to approve access to information expires and is no longer considered valid.
  4. Permission to access sensitive information must be explicitly granted by authorized entities. Access to sensitive information should only be granted on a need-to-use basis, and within the requirements imposed by federal or state laws. The approval must include:
    1. Acceptable actions to be taken with the data (e.g., read, copy, create, etc.)
    2. Retention requirements, specifying how long data is allowed to be retained;
    3. Disposal requirements, specifying how data must be disposed of when it is no longer needed
    4. A date or condition when the approval expires and is no longer considered valid.
  5. Any misuse, or accidental or unauthorized disclosure must be reported immediately to the Information Security Officer.

Guidance

The confidentiality of information assets must be classified as follows:

Classification Description
Regulated Information assets are considered regulated when required by law or contract, or when they are deemed to be of a nature that uncontrolled disclosure would cause significant harm to the University. Examples of protected information are (but are not limited to): personal identity information (PII), student educational records (FERPA rules), credit card data (PCI DSS requirements), protected health information (HIPAA requirement), etc.
Protected Information assets are considered protected when uncontrolled disclosure would cause minor harm to the University.
Public Information assets are considered public when disclosure of the information does not have to be authorized, or when disclosure would not cause harm.

The integrity of information assets must be classified as follows:

Classification Description
Critical Information assets are considered critical when modification (including creation and/or deletion) must be controlled and unauthorized modification has a significant negative impact on the University. Examples of critical information are grades, payroll information, enrollment records, etc.
Controlled Information assets are considered Controlled when access to modify the information must be controlled, but unauthorized modification has at most a minor negative impact on the University.
Uncontrolled Information are considered uncontrolled when modification (including creation and/or deletion) does not need to be controlled or when modification does not cause harm.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action imposed by the Office of Human Resources. Violations of this policy by students will be addressed through the Student Disciplinary Process.

Deviation From This Policy

Permission to deviate from this policy may be granted or revoked by the Information Security Officer.

Definitions

Information Owner: A person or role who is authorized to make informed decisions regarding a particular class of information.

Forms

This policy does not have forms associated with it at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Related Information

This policy does not have related information at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Document History

  • Last Reviewed Date: March 30, 2023
  • Last Revised Date: September 01, 2017
  • Policy Origination Date: August 19, 2009

Who Approved This Policy

Carol Ann Boyle, Chief Information Officer

Policy Owner

Secondary Contacts

Search Menu