Skip to main content Skip to main content

Data Classification

Information and Technology


Contents


Policy Statement

The purpose of this policy is to educate the University community about the importance of protecting data generated, accessed, transmitted, received, and stored by the University, to identify procedures that should be in place to protect the confidentiality, integrity, and availability of University data, and to comply with local and federal regulations regarding privacy and confidentiality of information.

Responsibility for Data Management

Data is a critical asset of the University. All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, received, stored, or used by the University, irrespective of the medium on which the data resides and regardless of format, such as in electronic, paper, or other physical form.

Individual departments are responsible for following appropriate managerial, operational, physical, and technical controls for access to, use of, verbal or electronic transmission of, and disposal of University data in compliance with this policy. Data owned, used, created, or maintained by the University and University personnel is classified into the following three categories:

  • Public
  • Official Use Only
  • Confidential

Departments and administrative branches should carefully evaluate the appropriate data classification category for information handling within their environment. When provided in this policy, examples are illustrative only and serve as identification of implementation practices rather than specific requirements. Nothing in this policy is intended to identify a restriction on the right of departments or administrative branches to require policies and/or procedures in addition to the ones identified in this document.

Data Classification

Public Data

Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all members of the University community and to all individuals and entities external to the University community. By way of illustration only, some examples include:

  • Publicly posted press releases
  • Publicly posted schedules of classes
  • Publicly posted interactive University maps, newsletters, newspapers, and magazines
Official Use Only Data

Official Use Only Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage, or other use. This classification applies even though there may not be a civil statute requiring this protection. Official Use Only Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data.

By way of illustration only, some examples of Official Use Data include:

  • Employment data
  • University partner or sponsor information when no more restrictive confidentiality agreement exists
  • Internal telephone books and directories

Official Use Only Data:

  • Must be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure.
  • Physical copies must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
  • Electronic files must not be stored in unsecure locations, on PCs or other hardware, nor posted on any publicly accessible website.
  • Must be destroyed when no longer needed subject to University and/or departmental Records Retention Schedules. Destruction may be accomplished by:
    • "Hard Copy" materials must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction. After destruction, materials may be disposed of with normal waste.
    • Electronic storage media shall be sanitized appropriately by overwriting or physical destruction prior to disposal. Disposal of electronic equipment must be performed in accordance with IT Service’s surplus equipment process.
Confidential Data

Confidential Data is information protected by statutes, regulations, University policies, or contractual language. Managers may also designate data as confidential. Confidential Data may be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University should be authorized by executive management. By way of illustration only, some examples of Confidential Data include: 

  • Medical records
  • Student records and other non-public student data
  • Social Security Numbers
  • Personnel and/or payroll or records
  • Bank account numbers and other personal financial information
  • Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction

Confidential data:

  • When stored in an electronic format, must be protected with strong passwords and stored on servers that have protection and encryption measures provided by MSU Denver IT Services in order to protect against loss, theft, unauthorized access, and unauthorized disclosure.
  • Must not be disclosed to parties without explicit management authorization or appropriate contracts.
  • Must be stored only in a locked drawer or room or an area where access is controlled by a guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
  • When sent via fax must be sent only to a previously established and used address or one that has been verified as using a secured location.
  • Must not be posted on any public website.
  • Must be destroyed when no longer needed subject to the University Records Retention Schedule. Destruction may be accomplished by:
    • "Hard Copy" materials must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction. After destruction, materials may be disposed of with normal waste.
    • Electronic storage media shall be sanitized appropriately by overwriting or physical destruction prior to disposal. Disposal of electronic equipment must be performed in accordance with IT Service’s Surplus Equipment Process.
  • References to intellectual property exclude faculty and do not preclude standing policies.

The Chief Information Security Officer must be notified in a timely manner if data classified as confidential is lost, disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place. The Chief Information Security Officer must notify the University President of said loss or disclosure, with notifications to other parties as required.


Background and Purpose

Background: MSU Denver's information security policies were created by the IT Strategic Oversight Committee (ITSOC) Information and Instructional Technology Policies Subcommittee and reviewed by the University’s Policy Advisory Committee. Review of these policies will be made on an annual basis, with any changes or additions being submitted through the University’s policy review and approval process.

Purpose: MSU Denver’s information security policies are focused on protecting critical data and information systems of Metropolitan State University of Denver from loss, damage, or inappropriate modification or disclosure. The policies contained in this document are designed to ensure that the University adheres to security standards commensurate with the data and systems referenced, while maintaining appropriate functional access for students, faculty, and staff.

Scope: These policies apply to all individuals, including students, faculty, and staff, provided access to University data and information technology systems. Contractors and otherwise affiliated individuals must agree to abide by the information security policies before accessing university systems and data. Role-based policies and procedures that apply to specific groups of users will be provided when applicable, in accordance with functional requirements and data classification.


Roles and Responsibilities

Responsible Executive: Chief Information Officer

Responsible Administrator: Chief Information Security Officer

Responsible Office: Information Technology Services

Policy Contact: IT Services, msudenver.edu/technology, 303-352-7548

Additional Data Classification Roles and Responsibilities:

The IT Strategic Oversight Committee (ITSOC) Information and Instructional Technology Policies subcommittee is the primary entity charged with recommending and developing policy and procedures subordinate to and in support of this policy.

The Chief Information Security Officer is charged with the promotion of security awareness within the University community, as well as responsibility for the creation, maintenance, enforcement, and design of training on relevant security standards in support of this policy. The Chief Information Officer will receive and maintain reports of incidents, threats, and malfunctions that may have a security impact on the University's information systems, and will receive and maintain records of actions taken or policies and procedures developed in response to such reports. The Chief Information Officer will assist with internal audits, as appropriate, to determine compliance with this policy.

MSU Denver IT Services will facilitate distribution of this policy, will assist in the investigation of policy breaches, and will respond promptly to reports of suspected misconduct or violations of law or University policies.

The Office of General Counsel will review procedures issued under authority of this policy for compliance with applicable regulations. The Office of General Counsel will also respond to court-ordered releases of information.


Enforcement and Reporting

Adherence to Information Security Policies is mandatory and may be based on State or Federal statute, contract language, or information security standards. These policies are not intended to unreasonably interfere with system utilization. Individuals should contact the IT Services Help Desk to report security risks, violations of policy, or to make requests for exceptions or amendments to the policies. The Chief Information Security Officer (CISO) and other IT Services staff will respond to all reported security issues and will work with the policy subcommittee to allow for development of appropriate updates to policies. Violations of these policies may result in fitting administrative action up to and including revocation of system privileges, employee termination, or student expulsion.

Information about the Information and Instructional Technology Policy subcommittee is available on the IT Governance website.


Policy History

Effective: July 1, 2017

Approved by: President


Related Information