Standard for Information Classification
This Policy applies to all College information resources, including those used by the College under license or contract. "Information resources" include information in any form and recorded on any media, and all computer and communications equipment and software.
All information covered by this Policy is assigned one of three classifications depending on the level of security required. In decreasing order of sensitivity, these classifications are Confidential, Internal-use-only, and Unrestricted. Information that is either Confidential or Internal-use-only is also considered to be Restricted.
- Confidential information. This classification covers sensitive information about individuals, including information identified in the Human Resources Manual, and sensitive information about the College. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of confidential information include information about:
- Current and former students (whose education records are protected under the Family Educational Rights and Privacy Act (FERPA) of 1974), including student academic, disciplinary, and financial records; and prospective students, including information submitted by student applicants to the College.
- Library patrons, and donors and potential donors.
- Current, former, and prospective employees, including employment, pay, benefits data, and other personnel information.
- Research, including information related to a forthcoming or pending patent application, and information related to human subjects. Patent applications must be filed within one year of a public disclosure (i.e., an enabling publication or presentation, sale, or dissemination of product reduced to practice, etc.) to preserve United States patent rights. To preserve foreign patent rights, patent applications must be filed prior to public disclosure. Therefore, it is strongly recommended that prior to any public disclosure, an Invention Disclosure Form be submitted to the Office of Technology Transfer for evaluation of the technology and determination of whether to file a patent application, thereby preserving U.S. and foreign patent rights.
- Certain College business operations, finances, legal matters, or other operations of a particularly sensitive nature.
- Information security data, including passwords.
- Information about security-related incidents.
- Internal-use-only. This classification covers information that requires protection against unauthorized disclosure, modification, destruction, and use, but the sensitivity of the information is less than that for Confidential information. Examples of Internal-use-only information are internal memos, correspondence, and other documents whose distribution is limited as intended by the steward.
- Unrestricted information. This classification covers information that can be disclosed to any person inside or outside the College. Although security mechanisms are not needed to control disclosure and dissemination, they are still required to protect against unauthorized modification and destruction of information.
Default classification. Information that is not classified explicitly is classified by default as follows: Information falling into one of the Confidentiality categories listed above is treated as Confidential. Other information is treated as Internal-use-only unless it is published (publicly displayed in any medium) by the Steward, in which case it is classified Unrestricted.