An essential element of a Data Governance Program is the simplification of data security via the development of a comprehensive data and risk classifications scheme. The following visual portray NMSU’s data governance spectrum and the University’s data and risk classifications scheme. As noted below, the regulated data bucket (involving personally identifiable information (PII) from students or employees, medical information or credit card data) and the controlled data bucket represent high risk to NMSU and therefore any suspicious or actual compromise of this data must be reported immediately.
The following one-minute video is a quick overview of the data classifications used at New Mexico State University.
Most universities use a three or four category data classification scheme with research Universities such NMSU using a four category data classification scheme in order to separate controlled research data. Sensitive research data is typically funded via grants & contracts that include information security stipulations related to the Federal Information Security Management Act (FISMA) or Controlled Unclassified Information (CUI) relating to Export Control (Export Administration Regulations (EAR)/International Traffic in Arms Regulations (ITAR), or other CUI category, which require compliance with National Institute of Standards and Technology Special Publications such as NIST SP 800-53 or NIST SP 800-171 or other security plan as required by the applicable federal funding agency.
Risk classifications for each of the Four Data Buckets
NMSU has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Low Risk Public Data: disclosure does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access. Examples of Public Data:
- Public Web Sites
- Marketing Materials
- Business Addresses
- Salary Information
Medium Risk Internal Data: not protected by state or federal law or regulatory standards, but which if disclosed may pose a reputational risk or result in a civil action against the institution. Examples of Internal Data:
- Account Credentials
- Budget Information
- Unclassified Research and Manuscripts
- Payroll and Employment Documentation
- Systems & Network Diagrams
- Strategic Information Unique to NMSU
Moderate Risk Regulated Data: not Controlled Data and is regulated by law or contract or, if exposed to unauthorized parties, poses a risk of harm to third parties or risk of harm to NMSU interests (e.g. reputational) or exposes the university to potential liability. Examples of Regulated Data:
- Social Security Number
- Driver’s License ID Number
- Passport ID Number
- Tax ID Number
- Health Information
- Class Schedules
- Course History
- Academic Actions
- Grades, GPA and Transcripts
- Payment Card Data
- Bank Account numbers
High Risk Controlled Data: Unauthorized disclosure of this information could have a serious adverse impact on the country, university, individuals or affiliates. Examples of Controlled Data:
- Export Controlled Data
- National Security Interest (NSI)
- Controlled Unclassified Information (CUI)
- Federal Contract Information (FCI)
- Classified Information
The following steps provide guidance for the considerations necessary to determine data classification Protection Level. This table addresses the most common questions about Protection Level classification; it does not cover all circumstances. For additional assistance determining Protection Level, please contact the Chief Privacy Officer at email@example.com.
Step 1 Identify the specific data elements you’re working with regularly. Check the Protection Levels table above. If you can find them there, use the classifications from the table, and you’re done! Refer to the Data Standards page for the Minimum Data Security requirements applicable to you. Otherwise, continue to Step 2. Step 2 Are you working with any of the following? If so, please contact the IT Compliance Office (ITCO) at firstname.lastname@example.org. · research data involving a data use agreement (DUA) per grant agreement · confidentiality or nondisclosure agreements with security clauses · HIPAA data · federal Controlled Unclassified Information (CUI) · DFARS requirement If not, continue to Step 3. Step 3 Does the data include any of the following? If so, it’s Regulated Data or Controlled. 1. Social Security numbers (SSN) Additional Considerations: 2. driver’s license, passport, or other government issued ID numbers 3. financial account numbers 1. Data Breach Reporting Requirements 4. personal medical information The actual or suspicious compromise or breach of these data elements must be reported. For example, breach notification law requires notice if Social Security number (SSN) AND name are breached. Please contact the Chief Privacy Officer or Chief Information Security Officer if you have questions about this reporting requirement. 5. personal health insurance information 6. credit card numbers 2. Partial SSNs 7. passwords, PINs, passphrases, or security questions and answers Partial SSNs in certain contexts are considered de-identifiable information. If you are using partial SSNs, please contact the Chief Privacy Officer to help determine the protection level of your data. 8. individually identifiable human subject research data, or that the Institutional Review Board (IRB) has determined is high risk 3. Passwords, PINs, passphrases, and security questions and answers 9. human genomic data subject to GDPR or HIPAA (regardless of de-identification status) When properly encrypted or hashed, these elements are not considered regulated data. However, the encryption keys are classified or protected equally to regulated data. Systems that manage credentials that provide access to regulated data or resources, and encryption keys, are also protected at this level. 10. biometric data used for authentication purposes, including facial recognition If not, continue to Step 4. Step 4 Are you dealing with industrial control systems affecting life and safety? If so, it’s protected at regulated or controlled level. If not, continue to Step 5. Step 5 Does the data include personal information of European Union (EU) or European Economic Area (EEA) residents? If so, the European Union General Data Protection Regulation(link is external) (GDPR) probably applies. If not, continue to Step 6. Assuming the GDPR applies, does the information fall into any of the special categories of personal data outlined in Article 9(link is external) of the GDPR? 1. If so, it’s Regulated 2. If not, it’s protected at Internal level For questions regarding the GDPR, contact the Chief Privacy Officer. Step 6 Does the data include student information protected by FERPA? If so, it’s Regulated. If not, continue to Step 7. The exception would be Public Directory Information for students who have NOT requested a FERPA block. This would be protected at the internal level. However, directory information for students who have exercised their right under FERPA to request that information about them not be released as public information is still classified as regulated. Step 7 Does the data include staff and academic Personnel Records? If so, it’s probably Regulated. If not, continue to Step 8. The exceptions would be Public Directory Information for faculty and staff. These would be internal. Step 8 Does the data include individually identifiable human subject research data that contains regulated data elements and the IRB has not determined is high risk? If yes, If not, continue to Step 9. 1. Is the data entirely de-identified or anonymized, with a negligible re-identification risk, and no other regulated data elements? De-identified human genomic data must also not be able to be re-identified using publicly available data. If so, it’s probably internal. 2. If it is not clear whether the data is fully de-identified/anonymized, consult with the Chief Privacy Officer. Step 9 Is the data public (no sharing restriction)? If it’s public, it’s probably public unless unauthorized modification of the data would be an issue. Departmental websites are a good example of this: The information is public, but the accuracy (integrity) of the information is important. In situations like this, the need for data integrity drives the Protection Level. If you don’t know, continue to Step 10. 1. Public data, and unauthorized modification has a minimal impact 2. Public data, and unauthorized modification has a low impact 3. Public data, and unauthorized modification has a moderate impact 4. Public data, and unauthorized modification has a high impact Step 10 Are you are still uncertain of the classification? If the Protection Level is still not clear after completing steps 1-10 and consulting the Protection Levels table, please contact Chief Privacy Officer for assistance.