Information Classification and Handling Standard - Section E
E. Information Handling by Classification
This table describes how information should be handled according to its classification and as it relates to systems development. For example, if a report is printed and automatically distributed, labeling information and distribution standards would be required. Additional notes are located at the end of the table.
Action or Method |
Confidential |
Internal Use Only |
Publicly Available |
---|---|---|---|
Storing Information on Cal Poly Owned, Leased, or Rented Systems or Equipment |
Cal Poly confidential level 1 information shall not be stored on removable, portable or mobile devices unless it is secured (e.g. encrypted). This includes but is not limited to USB connected media, flash drive drives, DVD, CD, tape media, laptop, smart phone, and requires Cal Poly Information Security Office sanctioned encryption. Removable and mobile devices shall not be visible to the public when not in use to prevent disclosure and theft, for example leaving a laptop with confidential data visible in a vehicle. Level 1 information should be stored in secured databases or on secured file servers. It may also be stored in secured off-line media, such as CD, DVD and tape. Off-line media shall be encrypted, and stored in a secure location at the University or another site approved by management (including off-site backup services). Electronic storage requires access controls and file protection mechanisms to control file access. If these are not found in the operating system in use, then additional security packages are required. Exceptions require written authorization from the Information Security Officer. Requests need to be submitted in writing. |
May be stored on portable or mobile devices. It’s recommended the device containing level 2 information is secured (e.g. encrypted). |
No restrictions. |
Use of Personally Owned / Purchased Equipment |
Personal equipment may include devices such as personal laptops, personal desktops, personal digital assistants (PDAs), iPods® and cell phones (such as BlackBerry®, Treo® and iPhones®). Cal Poly level 1 information may not be stored on any personal equipment. |
Cal Poly level 2 information shall not be stored on any personally owned equipment unless it is secured (e.g. encrypted). Additionally, users must not send or forward emails containing level 2 information to personal email accounts (e.g. Gmail, yahoo, hotmail, msn, charter). |
No restrictions. |
Labeling |
Recommend classification labels and controls statements appear on the bottom of at least the first page of reports; they may be added on each subsequent page as desired. Recommend "Cal Poly Confidential" appears on removable media labels. |
Recommend classification labels and control statements appear on the bottom of at least the first page of reports; they may be added on each subsequent page as desired. Recommend "Cal Poly, Internal Use Only" appears on removable media labels. |
No labeling required. |
Reproduction |
Reproduction is discouraged. If control statement specifies “No reproduction authorized”, reproduction is only permitted with written permission from the Information Authority (list maintained separately). |
Reproduction is authorized if not prohibited by the control statement. |
No restrictions. |
Distribution |
Distribution is only to those who have a business need-to-know and are Cal Poly employees, its auxiliary employees, contractors or vendors who have signed a confidentiality-security agreement. Information distributed outside of Cal Poly must have a valid, current, and properly executed Confidentiality-Security Agreement in place approved by the Information Authority |
Distribution is only to Cal Poly employees and its auxiliary employees, contractors and vendors with a business need-to-know. |
No restrictions. |
Computer Printing |
Computer Printing is authorized if not prohibited by the control statement. Remove printouts immediately if using a public printer or as appropriate for internal shared printers. |
Computer Printing is authorized if not prohibited by the control statement. Remove printouts immediately if using a public printer or as appropriate for internal shared printers. |
No restrictions. |
Mail (Hard Copies) |
May be sent through interoffice or U.S. Mail but needs to be sealed in an envelope having no classification marking and needs to be clearly marked on the outside with security control statements such as “Confidential” or “To be Opened by Addressee Only". |
May be sent through interoffice or U.S. Mail with no special handling. If being sent to another building, it should be placed in an interoffice envelope with no special marking. |
No restrictions. |
Electronic Mail (email) |
May not be sent or forwarded unless protected by Cal Poly Information Security Office sanctioned secure (e.g. encryption) package or algorithm. Automatic labeling should be used if the email package supports this feature. |
Distribution must be only to those who have a business need-to-know and are Cal Poly employees, its auxiliary employees, contractors or vendors who have signed a confidentiality-security agreement.
Automatic labeling should be used if the email package supports this feature.
|
No restrictions. |
Data Transmission |
Data transmission is authorized, but not over public networks unless protected by Cal Poly Information Security Office sanctioned secure (e.g. encryption) package or algorithm. |
Data transmission is authorized to other authorized Cal Poly employees and its auxiliary employees, contractors and vendors. |
No restrictions. |
Fax |
Faxing is authorized if not prohibited by the control statement. Authorized only from and to Cal Poly controlled fax machines. |
Faxing is authorized if not prohibited by the control statement. Authorized only from and to Cal Poly controlled fax machines. |
No restrictions. |
Telephone |
Conversations must be limited to other Cal Poly employees and its auxiliary employees, contractors and vendors covered by Confidentiality-Security agreement with a business need-to-know. |
Conversations must be limited to other Cal Poly employees and its auxiliary employees, contractors and vendors covered by Confidentiality-Security agreement with a business need-to-know. |
No restrictions. |
Visual Disclosure |
Ensure that documents and screens are positioned to prevent inadvertent disclosure. Do not leave documents and screens unattended and unsecured. Erase all white boards at the end of meetings. |
Ensure that documents and screens are positioned to prevent inadvertent disclosure. Do not leave documents and screens unattended and unsecured. Erase all white boards at the end of meetings. |
No restrictions. |
Printed Storage |
Strongly recommended that paper be stored in a locked enclosure when not in use. Media should not be left unattended on a desk. |
Strongly recommended that paper be stored in a locked enclosure when not in use. Media should not be left unattended on a desk. If transported outside of Cal Poly, appropriate care must be taken to prevent disclosure or theft. |
No restrictions. |
Backup |
Backup media must be stored in a secured location. If transported outside the University, media shall be encrypted. Backups require the same care as originals to maintain confidentiality. |
It’s recommended the backup media containing level 2 information is secured (e.g. encrypted) if transported outside the University. Backups require the same care as originals to maintain confidentiality. |
No restrictions. |
Record Retention |
Records of any type of medium, such as paper, microfiche, magnetic, or optical, must be retained and disposed as required by the record retention and disposition schedule published by the campus. |
Records of any type of medium, such as paper, microfiche, magnetic, or optical, must be retained and disposed as required by the record retention and disposition schedule published by the campus. |
Records of any type of medium, such as paper, microfiche, magnetic, or optical, must be retained and disposed as required by the record retention and disposition schedule published by the campus. |
Disposal and Disposition |
Hard copy requires a secure disposal container (such as a box that will be secured until picked up by campus Facilities for shredding by Docuteam) to be shred at a later time or a shredder. Electronic storage media must be irretrievably erased or disposed of in a secure fashion following the record retention and disposition schedule published by the campus. |
Hard copy should use a secure disposal container or shredder. Normal deletion commands or utilities within operating systems are sufficient for files. Reformatting of media is also valid following the record retention and disposition schedule published by the campus. |
Normal waste disposal following the record retention and disposition schedule published by the campus. |
Inventory |
All electronic repositories must be identified. Inventory must be reported annually to Information Security Office. Access controls must be reassessed annually. |
All electronic repositories must be identified. Inventory must be reported annually to Information Security Office. Access controls should be reassessed annually. |
No restrictions. |
Access Control |
Employee must have signed a copy of the CP Employee Confidentiality Statement before access is granted. Vendors must have a copy of the confidentiality-security agreement before access is granted. The Information Authority must approve all access to confidential information. |
Employee must have signed a copy of the CP Employee Confidentiality Statement before access is granted. Vendors must have a copy of the confidentiality-security agreement before access is granted. The Information Authority must approve all access to confidential information. |
No restrictions. |
Reclassify or Declassify |
The campus can increase information to Level 1 classification. Information at Level 1 can only be declassified if the campus has classified that information up to Level 1 – If CSU has classified information at Level 1, only CSU can declassify that information. |
Only the Information Authority can reclassify or declassify information at Level 2 and Level 3. |
No requirements. |
Security Classification Labels
A label must clearly display the classification of the information.
Labels have the following attributes:
- Labels must be clearly visible
- When possible and appropriate, use highlighting to make the label stand out from the body of the page.
- Use elements such as bolding, asterisks (*), all capital letters, or color to accentuate the label.
Security Control Statements
Add control statements next to or underneath the classification label; they further describe the need to handle the information. While control statements are virtually unlimited in meaning, some examples include:
- Confidential
- Modification or reproduction is prohibited
- Copyright ©2010 Cal Poly all rights reserved
- Electronic transmission allowed only if encrypted
- To be opened by addressee only
- Cal Poly - Internal Use Only
- Document classified PUBLICLY AVAILABLE after month/day/year
- Advice of Legal Counsel