Information Classification and Handling Standard
Purpose
Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control. This document provides guidelines for the classification of information as well as its labeling, handling, retention and disposition.
A. Information Classification
Information classification is the process of assigning value to information in order to organize it according to its risk to loss or harm from disclosure. The Cal Poly information classification and handling standard establishes a baseline derived from federal laws, state laws, regulations, California State University (CSU) Executive Orders, CSU policies, and campus policies that govern the privacy and confidentiality of information.
Scope
This information classification and handling standard applies to:
- All information or data collected, generated, maintained, and entrusted to Cal Poly and its auxiliary organizations (e.g., student, research, financial, employee data) except where superseded by grant, contract, or federal copyright law.
- Information in electronic or hard copy form.
B. Classification Levels
C. Designation of Classification Levels
D. Security Controls for Classifications
E. Information Handling by Classification
F. Information Protection Roles and Responsibilities
G. Non-Compliance and Exceptions
Appendix A: References and Legislative Resources
Implementation
| Effective Date: | 9/1/2010 |
|---|---|
| Review Frequency: | Annual |
| Responsible Officer: |
Vice Provost/Chief Information Officer Information Security Officer |
Revision History
| Date | Action | Pages |
|---|---|---|
| 07/14/2011 | Updated Facilities classification levels | Sec B |
| 02/01/2011 | Updated handling section for electronic mail of level 2 information to indicate that it may be sent by electronic mail to those who have a business need-to-know and are Cal Poly employees, its auxiliary employees, contractors or vendors who have signed a confidentiality-security agreement. | Sec E |
| 8/20/2010 | Released final version for posting on the web and notified campus constituents | All |
| 5/20/2010 | Reviewed and consulted with Information Resource Management Policy and Planning Committee (IRMPPC) | All |
| 4/21/2010 | Reviewed and consulted with Administrative Advisory Committee on Computing (AACC) | All |
| 4/16/2010 | Reviewed and consulted with Instructional Advisory Committee on Computing (IACC) | All |
| 3/3/2010 | Reviewed and consulted with LAN Coordinators | All |
| 2/23/2010 | Reviewed and consulted with Information Security Committee | All |
| 2/17/2010 | Reviewed and consulted with Information Security Management Team | All |
| 1/26/2010-8/18/2010 | Made additions and revisions for Cal Poly | All |
| 1/26/2010 | Acquired source document from Cal Poly Pomona | All |
