An integral part of our data security practices at Virginia Wesleyan University involves classifying our University data based on levels of sensitivity and value. The four classification of data classes provides the foundation to allow us to protect sensitive data while simultaneously providing broad, open access to data in all of its forms. Our classification policy defines 4 classes of data from critical (Class I) to public (Class IV). Decisions about data types not explicitly defined in this policy should be made by the vice president overseeing the area most responsible for the data.
Class 1: Critical Information | Class II: Restricted Information | Class III: Institutional Data | Class IV: Public/Unrestricted Information | |
|---|---|---|---|---|
Description | Information legally classified as breach notifiable and where Virginia Wesleyan University is required to self-report to the government and/or provide notice to the individual if the information is inappropriately accessed. Data of this type includes, but is not limited to, all data identified by law, specifically, Virginia statute 18.2 - 186.6. Breach of personal information notification, as well as other applicable state statutes*, Payment Card Industry Data Security Standard (PCI DSS), and specific combinations of individual financial records (Gramm-Leach_Bliley Act), health care records (Health Insurance Portability and Accountability Act of 1996 (HIPAA)). | Information regulated or restricted by federal and/or state regulatory or legal requirements, contractual requirements, or University policy. Data of this type includes, but is not limited to, student records (Family Educational Rights and Privacy Act (FERPA)), financial records (Gramm-Leach_Bliley Act), health care records (Health Insurance Portability and Accountability Act of 1996 (HIPAA)), International Traffic in Arms Regulations (ITAR)***, Export Administration Regulations (EAR)***, Red Flags Rule, Children's Online Privacy Protection Act (COPPA), employment records, legal records, and certain business records. | Information at the Institutional/Proprietary level must be protected due to privacy, ethical, or proprietary constraints. Data of this type includes, but is not limited to, intellectual property and any data or documents that are not intended for public access or distribution. | Data at the Public/Unrestricted level is protected at the discretion of the department or the data owner. Data of this type includes, but is not limited to, all documents slated for public distribution, directory information as per FERPA, and any departmental data not deemed to be at a higher level of sensitivity. |
Examples of Data Elements within Specific Classification Levels | • Social Security Numbers • Credit Card Numbers • Driver's license number or state identification card number issued in lieu of a driver's license • Account number or credit card number or debit card number in combination with any required security verification code**, access code, or password that would permit access to an individual's financial account. • Passport ID Numbers or Other forms of Official Government Issued Identification • Health Care Information, including Protected Health Information (PHI) • A username or email address, in combination with an unencrypted password, biometric identifier, or security question and answer that would allow unauthorized access to an online account. | • Human Subjects Information • Information gathered of children under the age of 13 • Employment applications • Employee information, including personnel files, benefits information, salary, conflict of interest filings, birth date, and personal contact information • Privileged attorney-client communications • Internal policy records • Export controlled information under U.S. laws*** • Emergency and disaster recovery/incident response plans | • Student grades, attendance, and performance records **** • VWU Colleague ID • Departmental data • Unpublished research data • VWU internal memos • Internal reports • Class rosters • Marketing and forecasting reports • Email distribution lists • Source code • Building diagrams and blueprints • Donor information • Vendor non-disclosure agreements • Business transactional data and documents • Personal information that can be used to verify identity such as birth dates, mother's maiden name, photographs | • Published articles and newsletters • Student achievements and accolades • Published research data • Campus maps • Job postings • Student enrollment numbers • Directory Information |
Access | Access limited to those permitted under law, regulation and Virginia Wesleyan University policies, and with a job-specific need and required training. External release of this type of information is only through vice president approval or through subpoena or warrant. Unauthorized release of this type of data could result in termination from University employment. | Access limited to those permitted under law, regulation and Virginia Wesleyan University policies, and with a specific need to know. External release of this type of information is only through vice president approval or through subpoena or warrant. Unauthorized release of this type of data could result in termination from University employment. | Access is limited to only those individuals who have been approved for access by a vice president based on need to know. Public or external requests to release this type of information is only through management or through subpoena or warrant. Unauthorized release of this type of data could result in disciplinary action. | Access to all data not meant for public consumption is at the discretion of the department or data owner. |
Transmission | NIST-approved encryption methods are required when transmitting information through a network. Prohibited data shall not be sent by email unless it is sent using an institution-approved method. | NIST-approved encryption methods are required when transmitting information through a network. Restricted data shall not be sent by email unless it is sent using an institution-approved method. | NIST-approved encryption is strongly recommended when transmitting information through a network. Institutional Confidential/Proprietary information sent by email should follow the institution guidelines. | No encryption is required for public/unrestricted information. |
Storage | Prohibited information shall not be stored on any of the following media or devices: • non-VWU owned or personal devices • external media, including flash drives, cell phones, or other external forms of storage (excluding University Data Center disaster recovery backups) Prohibited data shall be encrypted if utilized or stored on any end point device or local system and that data should strictly be used for short-term processing and not for long-term storage. Prohibited data should be stored only on NIST-encrypted or other qualified University-owned hosts, and in accordance with the Virginia Wesleyan University Data Retention Policy (needs to be developed) | Restricted/Regulated information shall be stored in accordance with the following: • Any computers containing this type of data is stored utilizing strong password encryption and can not be accessed without first authenticating (de-crypting) the data. Whole disk encryption is a preferable solution in place of manually encrypting data. • Any storage of this type of information in a cloud environment must be in an approved Virginia Wesleyan University cloud storage solution. Any of this type of data stored on flash drives, cell phones, or any other external form of storage (including backups), must be in an encrypted form. Please note that while some services are approved for storage of Type II data, they cannot be used for ITAR and export controlled data unless they guarantee US-only storage and confirm that the data is not accessible by foreign nationals of restricted countries. In addition to storage restrictions on this type of data there are also restrictions on sharing such data with those located in other countries. It is up to the data owner to determine whether any export controlled data may be shared with someone or transported to a particular country. Guidance can be found at the US Department of Commerce Control List site at http://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl Long-term or archival storage of restricted/regulated data should be on NIST-encrypted or other qualified College-owned hosts, and in accordance with the Virginia Wesleyan University Records Management and Retention Policy (needs to be developed) | Institutional Confidential/Proprietary information shall be stored in accordance with the following: • It is strongly recommended that this type of data is stored utilizing a strong password encryption and can not be accessed without first authenticating (de-crypting) the data. Whole disk encryption is a preferable solution in place of manually encrypting data. • Any storage of this type of information in a cloud environment must be in an approved Virginia Wesleyan University Cloud storage solution. It is strongly recommended that this type of data stored on flash drives, cell phones, or any other external form of storage (including backups), be in an encrypted form. Long-term or archival storage of institutional confidential/proprietary data should be on qualified University-owned or Cloud services hosts, and in accordance with the Virginia Wesleyan University Data Retention Policy (needs to be developed) | Long-term or archival storage of Virginia Wesleyan University public/unrestricted data should be on qualified University-owned or Cloud services hosts, and in accordance with the Virginia Wesleyan University Data Retention Policy (needs to be developed) |
- *NCSL Security Breach Notification Laws by State
- **Per PCI-DSS, card verification code or value, aka CVV, CAV, CID, CVC, should never be stored.
- ***Additional restrictions apply to this type of data. It must be stored within the United States and cannot be shared with those located in other countries. It is up to the data owner to determine whether any export controlled data may be shared with someone or transported to a particular country. Guidance can be found at the US Department of Commerce List site at: http://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl
- **** Current processes on campus provide grade related information via email. The University is committed to improving these processes to eventually provide all grade related information through more secure methods. Once this is accomplished, grade-related information would then be reclassified to Class II.