Information Classification





	UIS Rapid Response Team Security Initiatives Secure Laptop Exchange Program What to do before your Secure Laptop appointment What will happen during your Secure Laptop appointment More Questions and Answers Information Classification (UIS Security Office) Working with Confidential Data Identifying Existing Social Security Numbers Mapping an EFS Drive Using the Eraser Tool to Remove Confidential Data	Information Classification Confidential Information: Requires the highest level of protection from any unauthorized access, disclosure or tampering, whether in hard copy or digital format. This includes sensitive information about students, faculty, staff, users of University services and facilities, and the University. All personally identifying or electronically protected information (ePI) is classified as confidential information, including, but not limited to information governed by local or federal law. All documentation containing personally identifying or electronically protected information MUST be labeled 'Confidential' and handled accordingly. Collection of confidential information should be limited to situations where there is a business need and no reasonable alternative. Authorized data stewards must closely manage the access and storage of confidential information. Confidential information must always be secured in accordance with the Georgetown University Security Policy. Managers must ensure that their employees understand the need to safeguard this information, and that adequate procedures are in place to minimize this risk. Access to such information may only be granted to authorized individuals on a need to know basis. The examples of confidential information provided below are not comprehensive and are subject to change. Any questions or concerns about the classification of data should be directed to the University Information Security Officer or the CIO. Information protected by federal laws and regulations: o The Family Educational Rights and Privacy Act (FERPA) protects a wide range of personal education records and information about current and former students including, but not limited to, grades, university judicial, and academic records o The Health Insurance Portability and Accountability Act (HIPAA) governs the use of protected health information, including information that identifies an individual and relates to: the individual's past, present or future physical or mental health; or the provision of health care to the individual; or the past, present or future payment for health care. o The Gramm-Leach-Bliley Act (GLBA) protects personal financial information Personally Identifiable Information: o Social Security Number o Date of Birth o Place of Birth o Traditional password identifiers - Mother's maiden name - Name of favorite pet o Dependents o Bank account numbers o Income tax records o Driver's license numbers o Credit card numbers o Passport numbers Security data and credentials authorizing access, designed to protect systems: o Information concerning security incidents o Passwords o PKI Certificates Information collected via University business operations: o Finance o Legally binding documentation affecting the university or a member of the university community - Confidential agreements between the university and third parties - Non-disclosure agreements - Documentation accepted under non-disclosure or confidentiality agreements o Legal affairs and all related documentation o Contracts Other examples: o Research o Research subjects, including human subjects o Law Center clients o Library patrons o Established and potential donors, and information about these donors o Personnel information on current, former, and prospective employees o Current, former, and prospective employees - Salary and pay information - Benefits data - Performance reviews - University judicial affairs o Information on any portion of the patent process, including research, application documentation, granting, ownership and licensing of the patent Note: Credit card information must not be stored by Georgetown University. For all Internet-based credit card transactions, see the Georgetown University Internet Business Policy. Internal-Use-Only: Requires moderate protection from unauthorized access or tampering. If documentation or information does not contain information that must be labeled 'Confidential', Data Stewards have the discretion to categorize it as 'Internal-Use-Only.' Data Stewards are responsible for the day-to-day management of institutional data integrity, confidentiality, and availability, and limit the distribution of these documents. Information labeled 'Internal-Use-Only' may be disclosed to any person inside or outside the University. Although security mechanisms are not needed to control disclosure and dissemination, they are still required to protect against unauthorized modification and destruction of information. Only when the following examples do not contain information that must be labeled Confidential, then they may be examples of 'Internal-use-only' information: - Internal memos - Correspondence - E-mail Unrestricted Information: Requires basic protection from unauthorized tampering. This type of information can be freely disseminated to anyone.