This document defines the Colleges system and data classification scheme and established procedures for protecting critical IT systems and sensitive College data processed, received, sent, or maintained by or on behalf of the College.
IT System Classification
Systems at the College of William and Mary are classified as either critical or non-critical. Using the College of William and Mary’s business impact analysis and continuity of operations plan as primary input, the College has identified systems that are critical based on their role in supporting the colleges primary mission: teaching, research, and public service. Additionally, any system identified as essential during an emergency event is also classified as critical. Critical IT systems require a higher degree of protection and are, therefore, subject to stricter controls for access management, logging and monitoring, and disaster recovery planning.
Data owned, used, created or maintained by the College is classified into the following three categories:
Departments should carefully evaluate the appropriate data classification category for their information.
When provided in this policy, examples are illustrative only, and serve as identification of implementation practices rather than specific requirements.
i. Public Data
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. By way of illustration only, some examples of Public Data include:
- Publicly posted press releases
- Publicly posted schedules of classes
- Publicly posted interactive University maps, newsletters, newspapers and magazines
- Public announcements, advertisements, directory information, and other freely available data on College websites
Internal Use Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Use Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data. By way of illustration only, some examples of Internal Use Data include:
- Employment or personnel data
- Banner 93 numbers
- Budget reports, internal memos, or other business related data
- Project management documents
- Departmental operating procedures
- Performance evaluations
Internal Use Data:
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure.
- Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
- Must not be posted on any public website.
- Must be destroyed when no longer needed subject to the University's Records Management Policy. Electronic storage media shall be sanitized appropriately by overwriting or degaussing prior to disposal. Disposal of electronic equipment must be performed in accordance with the University's Standard for Removal of Data from Electronic Devices.
iii. Sensitive Data
Sensitive data is information protected by statutes, regulations, University policies or contractual language (see Appendix A for applicable laws). Managers may also designate data as Confidential. Confidential Data may be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University should be authorized by executive. By way of illustration, some examples of sensitive data include:
- Social security numbers, driver's license numbers, credit/debit card numbers, passport numbers
- Student personal and academic records, which are protected by FERPA
- Personally identifiable financial information, which are protected by the Gramm-Leach-Bliley Act (and generally will also be either personnel or student records)
- Personal information and/or giving history collected from a donor, alumnus, or other individual
- Proprietary vendor information
- Health records, which are protected by the Virginia Health Records Privacy Act
- Employee Relations Cases or information related to disciplinary actions
- Attorney-client communications
- System account credentials
- Records related to Internet activity including, but not necessarily limited to, Domain Name Service (DNS) records, netflow records, Internet search histories
Sensitive data does not include information in the William and Mary directory or data that is made public by the University.
Rules for Managing Sensitive Data
Collecting Sensitive Data
There are laws relating to university collection of sensitive data. The legal restrictions most commonly impacting the university are summarized below. For additional information, contact the Information Security Office.
- Sensitive data may only be collected, maintained, used, or disseminated as necessary to accomplish a proper academic or business purpose of the university or as required bylaw. For a partial list of laws requiring or permitting data collection by the university, see Appendix A.
- Individuals or units requesting or collecting sensitive data must communicate why the sensitive data is being collected, how it will be used, and, if applicable, any consequences of not providing it.
- Individuals have the right to inspect and challenge, correct, or explain their personal information (as required by Section 2.2-3806(A)).
Sending and/or Receiving Sensitive Data in Electronic or Physical Form
The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.
- Sensitive data sent and/or received electronically must be secured using encryption technology, a secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the University's internal network or using the University's secure web file system, Box (box.wm.edu). The university's email system is not designed to support the transmission of sensitive data securely. If email must be used to transmit sensitive data individuals are instructed to contact the Information Security Office for guidance on securing the data.
- Routine exchange of sensitive data with a third party requires a signed interoperability agreement or other contract describing which party is responsible for securing sensitive data in transit and how the data will be secured, and any specific confidentiality obligations.
- For any other release of sensitive data by the university to a third party the sender must ensure that the third party is aware of the confidentiality obligations applicable.
- Sensitive data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method and marked confidential.
- Faxing sensitive data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (ie receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with sensitive data are responsible for securing the document after receipt.
Storing Sensitive Data
- Sensitive data should be kept on University administered servers that comply with the University's Minimum Security Standard for University Servers. If sensitive data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, and/or personal computing devices (i.e. smartphones, tablets, etc...), the sensitive data must be encrypted according to the College's Data Encryption Standard and said devices must be password protected.
- Sensitive data saved in non-electronic form (i.e. paper or a white board) must be protected from unauthorized access when left unattended and destroyed when it is no longer needed. For example, papers with sensitive data cannot be left on an unattended desk but instead must be filed in a locked cabinet or a locked office.
93#s are internal use data as defined in the College's Data Classification Standard and so may not be used, disclosed or shared without a legitimate business or academic purpose. The following additional restrictions also apply:
- 93#s can only be stored on university owned or leased computers.
- 93#s can only be emailed to an internal university email address (@wm.edu, @vims.edu, or @mason.wm.edu). Emailing 93#s to personal mail accounts or mail accounts with third party providers is prohibited.
- Sending 93#s to a third party requires an interoperability agreement or contract language detailing how the third party will secure the 93#s.
Electronic media including computers jump or flash drives, CD/DVDs, or servers on which sensitive data has been stored must be disposed of according to the university's Standard for the Disposal of Electronic Data.