University at Buffalo Crest

Policy Information

Date Established: 5/24/2010
Date Last Revised: 4/4/2018
Category: Information Technology
Responsible Office: Vice President and Chief Information Officer
Responsible Executive: Vice President and Chief Information Officer

Policy Contents

Data Risk Classification Policy

Summary

UB classifies its data into three risk-based categories to determine who is allowed to access the data and what security precautions are required to protect the data. This policy facilitates applying the appropriate security controls to university data and assists data trustees in determining the level of security required to protect data.

Policy Statement

The University at Buffalo (UB, university) is committed to protecting the confidentiality, integrity, and availability of data important to the university’s mission. All university data must be classified based on risk category and protected using the appropriate security measures consistent with the minimum standards for the classification category. The standard for protecting the data becomes more stringent as the risk from disclosure increases.

Data Classification

Data Risk Classification Category

Definition

Examples

Category I -  Restricted Data

 

Institutional Risk from Disclosure is High

 

Minimum Security Standard, per National Institute of Standards and Technology
800-53-I

Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

 

Restricted data includes the definition of private information in the New York State Security and Breach Notification Act as a foundation: bank account, credit card, debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers.

 

To this list, university policy adds protected health information (PHI) as defined and regulated by HIPAA, computer passwords, other computer access protection data, and passport numbers.

 

Category 1 – Restricted Data are exempt from disclosure or release under the New York State Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)

 

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data are required to implement controls and security measures required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

• Social Security Number (SSN)

• Driver license number

• State-issued non-driver ID number

• Bank or financial account number

• Credit or debit card number (CCN)

• HIPAA-regulated Protected Health Information in any form (e.g., oral, paper, electronic)

• Passport number

• UB IT authentication credentials

• Documents protected by attorney- client privilege

• Donor contact information and non-public gift information

Category 2 -
Private Data

 

Institutional Risk from Disclosure is Moderate

 

Minimum Security Standard, per National Institute of Standards and Technology 800-53-II

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA) protected student records and electronic records that are specifically exempted from disclosure by the NYS FOIL.

 

Private data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.

 

The NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.

• FERPA-protected data

• Gramm-Leach-Bliley data and other data protected by law or regulation

• Final course grades

• Exam questions or answers

• HR employment data

• Law enforcement investigation data, judicial proceedings data; includes student disciplinary or judicial action information

• Public Safety information

• IT infrastructure data

• Collective bargaining negotiation data, contract negotiation data

• Trade secret data

• Protected data related to research

• University intellectual property

• University proprietary data

• Data protected by external non-disclosure agreements

• Inter- or intra-agency data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination; external audit data

• University person number

• Licensed software

• Information created by a health care provider and used or maintained for the purposes of patient treatment, patient payment, or health care provider operations that is not regulated by HIPAA

Category 3 -
Public Data

 

Institutional Risk from Disclosure is Low

 

Minimum Security Standard, per National Institute of Standards and Technology 800-53-III

Includes university data not included in Category 1 – Restricted Data and Category 2 – Private Data, and the data is intended for public disclosure, or the loss of confidentiality of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

 

Public data includes any data that is releasable in accordance with FOIL. This category also includes general access data, such as that available on unauthenticated portions of institution's website. Public data has no requirements for confidentiality, however, systems housing the data should take reasonable measures to protect its accuracy.

• University financial data or  business records available to the public

• Meeting minutes

• Administrative process data

• Data about decisions that affect the public

• Other university public data

• General access data, such as that on unauthenticated portions of the institution's website

Protected Health Information (PHI)

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the HIPAA Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. Information regulated by HIPAA may be used, maintained, or disclosed within or outside of the university only as specifically permitted by the HIPAA regulations.

Compliance

Failure to adhere to these policies and procedures may result in corrective measures. Corrective measures will be administered to a degree commensurate with the violation and in compliance with applicable collective bargaining agreements and/or applicable laws, regulations, and policies.

Background

University academic and administrative data are valuable assets and often contain detailed information about the university, as well as personal information about faculty, staff, students, and other third parties affiliated with the university. Protecting the information is driven by important considerations including legal, academic, financial, reputation, and other business requirements. This policy provides a framework for classifying university data based in its level of sensitivity, value, and criticality. Classifying data helps determine baseline security controls to protect the data.

Applicability

This policy applies to all university data and to all user-developed data sets and systems that may access these data regardless of the environment where the data reside (e.g., cloud systems, servers, personal computers, mobile devices). The policy applies regardless of the media on which data reside (e.g., electronic, printouts, CD, microfiche) or the form they may take (e.g., text, graphics, video, voice).

Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.

Definitions

Category 1 – Restricted Data

Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.

Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.

Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.  

The NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.

Category 3 – Public Data

Includes university data not included in Category 1 – Restricted Data and Category 2 – Private Data, and the data is intended for public disclosure, or the loss of confidentiality of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Public data includes any data that is releasable in accordance with FOIL. This category also includes general access data, such as that available on unauthenticated portions of institution's website. Public data has no requirements for confidentiality; however, systems housing the data should take reasonable measures to protect its accuracy.

Data Managers

University officials and their staff who have operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data.

Data Owner

The University at Buffalo is considered the data owner of all university data; individual units or departments may have stewardship responsibility for portions of the data.

Data Stewards

University officials who have planning and policy-level responsibilities for data in their functional areas.

Data Trustees

Senior leaders of the university (i.e., vice presidents, vice provosts, deans) who have responsibility for areas that have systems of record.

Data Users

Individuals who need and use university data as part of their assigned duties or to fulfill their role in the university community.

Responsibility

Vice President and Chief Information Officer

  • Oversee implementation of this policy.

Data Manager

  • Administer activities delegated by data stewards.
  • Maintain physical and system security and safeguards appropriate to the classification level of the data in their custody.

Data Steward

  • Manage defined elements of institutional data.
  • Implement and apply safeguards that meet or exceed the minimum safeguards for each data classification. Safeguards are determined by the individual unit, but guidance may be provided by the Information Security Office with respect to minimum expectations.  

Data Trustee

  • Ensure that data stewards in their area are compliant with data governance principles.

Data User

  • Maintain the confidentiality, integrity, and availability of university data.
  • Implement appropriate safeguards to protect data.
  • Follow all university policies, procedures, and standards related to data security classification and security level, including applicable federal and state laws.

Records Management Officer

  • Make decisions about records disclosure of information.

Contact Information

Contact Phone Email
Office of the Vice President and Chief Information Officer 716-645-7979 cio@buffalo.edu
Information Security Office 716-645-6997 sec-office@buffalo.edu
Records Management Officer
716-645-5464 hines@buffalo.edu

Related Information

University Links

Related Links

History

April 2018 Full review. Updated the policy to:
•  change the title of the policy from Data Classification Standard/Data Use Standard to Data Risk Classification
•  change the number of classification categories from four (i.e., Category I:  Regulated Private Data; Category II:  Protected Data; Category III:  Internal Use Data; Category IV:  Public Data) to three (i.e., Category 1 – Restricted Data, Category 2 – Private Data, Category 3 – Public Data)
    ▫  this change aligns the UB categories with the New York State Office of Information Technology Services Information Classification Standard
•  revise data role terminology
•  add HIPAA compliance reference
•  provide additional data risk classification guidance including
   ▫   FIPS 199 Security Categorization Definitions
   ▫   Security Standard Crosswalks
   ▫   Data Risk Classification Examples

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President

4/4/2018

Date