Information Classification and Handling Standard - Section D
D. Security Controls for Classifications
In addition to applying a classification label to each piece of information, an important part of information classification involves identifying the security controls that can consistently be applied to each level. The campus shall put in place the appropriate technical and organizational controls to prevent the unauthorized or unlawful processing or disclosure of information. The campus shall ensure that the security controls in terms of physical security (e.g., control access to buildings or rooms, correctly handle and dispose of printed material containing personal information), administrative controls (e.g., restrict password, restrict access on the basis of role or authority), and technical controls (e.g., store personal information on a secure server, make use of privacy enhancing technologies) are appropriate for the information being processed and maintained.
- Information security controls shall be implemented commensurate with information value, sensitivity, and risk. Information in each classification level will require varying security controls appropriate to the degree to which the loss or corruption of the data would be harmful to individuals, impair the business or academic functions at CP, result in financial loss, or violate law, policy or CP contracts.
-
Information security controls shall include, but not be limited to, an appropriate combination of the following:
- Physical Access Control
- Administrative Access Control
- Technical Access Control
- The Information Authorities (maintained in a separate document) and the Information Security Officer collectively will determine the appropriate information security controls required for each classification level.
Classification Level 1: Confidential
Confidential information shall be limited in distribution to those with an established business need-to-know.
- When at all possible, confidential information should be accessed from its original source and copies or printed versions of the information should be kept to a minimum.
- Employees with access to confidential information should be reviewed on an annual basis to ensure that the access to this information is still needed.
- The list of people who have access to confidential information, and evidence of annual review of their access and shall be made available to the Information Security Officer on request.
- Confidential information shall always be secured (e.g. encrypted) when traversing a public network (e.g., Internet), and should be secured when traveling between unsecured CP locations (e.g., intranet).
- Printed copies of this type of information should be closely guarded to prevent unauthorized disclosure or theft.
- Due care is required when in verbal contact with another party regarding this information.
- The Information Retention and Disposition Standard is required when dealing with personally identifiable information (PII).
- Employees should receive annual training on their responsibilities regarding appropriate use and steps they can take to protect confidential information.
Classification Level 2: Internal Use Only
Internal Use Only information shall be limited in distribution to those employees, contractors, and vendors covered by a confidentiality-security agreement with an established business need-to-know.
- When at all possible, this information should be accessed from its original source and copies or printed versions of the information should be kept to a minimum.
- Employees with access to this information should be reviewed on an annual basis to ensure that the access to this information is still needed.
- The list of people who have access to this information, and evidence of annual review of their access and shall be made available to the Information Security Officer on request.
- This information shall be secured (e.g. encrypted) when traversing a public network or when traveling outside the Cal Poly network), and should be secured when traveling between unsecured CP locations (e.g., intranet).
- Printed copies of this type of information should be closely guarded to prevent unauthorized disclosure or theft.
- Due care is required when in verbal contact with another party regarding this information.
- Employees should receive annual training on their responsibilities regarding appropriate use and steps they can take to protect confidential information.
Classification Level 3: Publicly Available
Publicly Available information may be subject to appropriate campus review or disclosure procedures, facilities’ procedures, employee’s procedures, or student’s procedures to mitigate potential risks of inappropriate disclosure.
- For example, we may receive a request from a third party (e.g., federal or state agencies) to share bulk email address information of students, and faculty/staff. The University may be required to grant this request but the appropriate campus representatives will be consulted before this information is shared with parties not directly affiliated with the University.