Data Classification Procedure

Approver:: Academic Coordinating Committee
Policy Owner:: Associate Vice President, Risk Management
Policy Lead(s):: Manager, Campus Security
Defining policy:: Records and Information Management Policy
Effective date:: 2022-05-25
Date of last approval:: 2022-05-25
Status:: Approved

Procedure Statement

Data is a collective asset that is acquired, used, and managed by multiple stakeholders within Conestoga. This procedure sets out the principles for classifying data, regardless of form or media, to meet business needs and regulatory requirements of The ��vlog��Ʒ Institute of Technology and Advanced Learning (Conestoga).

Procedure Scope

This procedure applies to all data in Conestoga’s control and custody including research data. Security controls are documented in internal restricted information technology practices and standards.

Definitions

��vlog��Ʒ maintains a glossary of terms specific to the institution. The ones in use for this document are defined below.

Data: Individual symbols or pictures that represent raw facts or figures, which on their own do not comprise meaning and have no discernible arrangement. It can be processed by a computer, computer system or application.
Data Stewards: Data stewards are employees responsible for maintaining and protecting defined sets of data within the various lines of business throughout Conestoga. Data stewards are not data owners, data stewards fulfill a business focused oversight role ensuring data is fit for purpose for data driven business processes. Data stewards work with others to ensure data classification rules are followed and implement processes to manage the classified data.
Dataset: A dataset is an organized collection of data. The most basic representation of a dataset is data elements presented in tabular form and may also present information in a variety of nontabular formats, such as an extensible mark-up language (XML) file, a geospatial data file, or an image file, etc.
Information: Data that has been given value or meaning through interpretation or analysis and that has been organized to create meaning.
Inherent Risk: The risk to Conestoga in the absence of any controls to alter either the risks likelihood or impact of a risk.
Risk: a function of the magnitude or seriousness of the harm and the probability that it will occur (p. 22)

Procedure

Data stewards classify Conestoga’s data as public, internal, or restricted.
Conestoga data is internal by default.

If there are conflicting guidelines defining specific data classification, the data is classified according to the most restrictive protection requirement.
Corporate Services will assist college stakeholders classify college data

Conestoga’s public data is shared in open formats.
Datasets are regularly reviewed by Conestoga’s data stewards to ensure access and security provisions correspond to the data classification.
Data stewards protect data from modification or deletion in accordance with approved Conestoga data governance standards.
Data stewards reassess and consider reclassification of data when there are major changes to systems housing data, changes to the data including new data sets, and access levels change.

The following table identifies key descriptors and controls assigned to data by classification.

	Public Data	Internal Data	Restricted Data
Description	Data that can be made available to the general public without concern	Data intended for any Conestoga user but not for the general public.	Data that is defined in regulations, legislation, or by legal contract as sensitive, and/or its release could negatively impact strategic business decisions such as budgeting, human resources, legal negotiations, etc.
Risk	Minimal inherent risk. Minimal controls are required for public data to protect it from unauthorized modification or destruction in order to have the data be a trustworthy representation of Conestoga	Moderate inherent risk. Should the data be released, any data that is not explicitly classified as public or restricted shall be treated as internal data. A reasonable level of security controls should be applied to prevent its unauthorized release, alteration, or destruction	High inherent risk. The alteration, destruction, and or unauthorized release of restricted data is likely to cause a significant material level of risk to the Conestoga, consequently the highest level of access control, secured storage, transmission requirements, and secured destruction must be always applied
Access	Access to this data can be granted to any requestor.	Access to this data can be granted to any Conestoga user	Access to this data can only be granted to users with a business need to access it and its release is limited in scope to only authorized users
Storage	No security controls required	Electronic data must be stored on Conestoga approved systems (i.e., shared drives, servers, cloud-based storage) with controlled role-based access Physical files must be stored in a secure Conestoga approved location	Electronic data must be stored on Conestoga approved systems (i.e., shared drives, servers, cloud-based storage) with controlled role-based access, and audit trail Physical files and those on portable devices (which must be password protected) must be stored in a secure Conestoga approved location in a locked space with limited and managed access
Transmission	No Security controls required	Data must be transmitted via a secure network	Data must be encrypted during transfer and transmitted via a secure network
Destruction	Data must be securely deleted or transferred to the archives according to approved retention schedules