Policy Overview and Objectives

Rockhurst University recognizes the importance of protecting its data assets and preventing the unauthorized disclosure or loss of sensitive information. The purpose of this Data Loss Prevention (DLP) and Data Classification Policy is to establish guidelines for the classification and protection of data based on its sensitivity. This policy applies to all electronic data collected, generated, accessed, modified, transmitted, stored, or used by the University, irrespective of the medium or format.

Data Classification Levels

a. Confidential Information (High Sensitivity):

  • Definition: Data should be classified as Confidential if its unauthorized disclosure, alteration, or destruction could result in legal or financial liability to the University.  Sources of liability include legal or regulatory requirements, University policies, agreements to which the University is a party, or information that is inherently sensitive.  Data in this category is not distributed outside the University unless the transmission is expressly authorized and done through approved channels.  Please contact the Associate Vice President of Information Technology if you have a question about establishing an approved channel for an authorized transmission.  Data in this category should only be accessible to employees with a need to know, and the data should only be transmitted through electronic means if the Confidential Data is encrypted. Examples of the type of information that is Confidential is provided in Appendix A.
  • Handling Requirements:
    1. Access: Limited to authorized individuals with a legitimate need-to-know.
    2. Storage and Transmission: Must be encrypted using approved encryption methods.
    3. Retention and Disposal: Must follow specific retention and disposal guidelines to ensure secure destruction.

b. Private Information (Medium Sensitivity):

  • Definition: Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that Data could harm the University’s image or reputation, or could undermine the confidentiality of University business, but would not necessarily violate existing laws, University policies, or University contracts. Data in this category is not routinely distributed outside the University and accessed or distributed within the University only on a need-to-know basis. Examples of the type of information that is considered Private is provided in Appendix A.
  • Handling Requirements:
    1. Access: Limited to authorized individuals based on job roles and responsibilities.
    2. Storage and Transmission: Should be protected using appropriate security measures, such as access controls and encryption, as necessary.
    3. Retention and Disposal: Must adhere to defined retention periods and secure disposal practices.

c. Public Information (Low Sensitivity):

  • Definition: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that Data would result in no harm to the University. Public Data has no legal or other restrictions on access or usage and may be open to the University community and the general public. Examples of the type of information that is considered Public is provided in Appendix A.
  • Handling Requirements:
    1. Access: Accessible to the general public and authorized personnel as needed.
    2. Storage and Transmission: No specific security requirements, but reasonable measures should be taken to ensure integrity and availability.
    3. Retention and Disposal: Follow standard retention and disposal practices.

Responsibilities

a. Data Owners:

  • Data owners are responsible for identifying and classifying the data under their control.
  • They must ensure appropriate protection measures are implemented based on the data classification level.

b. Users:

  • Users must adhere to the handling requirements and access restrictions specified for each data classification level.
  • They are responsible for reporting any potential data loss or security incidents promptly.

c. IT Department:

  • The IT department is responsible for implementing technical controls to enforce the protection requirements for each data classification level.
  • They must ensure that appropriate security measures, such as encryption, access controls, and monitoring, are in place.

Data Handling and Protection Measures

a. Access Controls:

  • Access to data should be granted on a need-to-know basis, following the principle of least privilege.
  • Strong authentication mechanisms, such as unique user IDs and passwords, should be implemented to protect sensitive data.

b. Encryption:

  • Confidential and Private Information must be encrypted during transmission and storage using approved encryption methods.

c. Data Storage:

  • Data storage systems should provide appropriate security controls, such as access controls, encryption, and regular backups.

d. Data Transmission:

  • Sensitive data should be transmitted over secure channels, such as encrypted connections and virtual private networks (VPNs).

e. Retention and Disposal:

  • Data should be retained only as long as necessary to fulfill legal, regulatory, and business requirements.
  • Secure disposal methods, such as shredding physical documents and secure erasure of electronic data, must be employed.

Compliance and Consequences

a. Compliance:

  • All faculty, staff, students, and contractors must comply with this policy.
  • Failure to comply may result in disciplinary action, including termination, as well as legal consequences.

b. Consequences:

  • Any suspected violations of this policy should be reported to the appropriate authorities for investigation.
  • Violations will be subject to disciplinary actions in accordance with the applicable policies and procedures.

Policy Review

  • This policy will be reviewed periodically and updated as necessary to reflect changes in technology, regulations, or organizational needs.
  • Any proposed changes to this policy must be reviewed and approved by [appropriate authority].

By implementing this Data Loss Prevention and Data Classification Policy, Rockhurst University aims to safeguard its sensitive information and ensure compliance with relevant regulations while promoting a secure data environment.

Policy Overview and Objectives

Rockhurst University recognizes the importance of protecting its data assets and preventing the unauthorized disclosure or loss of sensitive information. The purpose of this Data Loss Prevention (DLP) and Data Classification Policy is to establish guidelines for the classification and protection of data based on its sensitivity. This policy applies to all electronic data collected, generated, accessed, modified, transmitted, stored, or used by the University, irrespective of the medium or format.

Data Classification Levels

a. Confidential Information (High Sensitivity):

  • Definition: Data should be classified as Confidential if its unauthorized disclosure, alteration, or destruction could result in legal or financial liability to the University.  Sources of liability include legal or regulatory requirements, University policies, agreements to which the University is a party, or information that is inherently sensitive.  Data in this category is not distributed outside the University unless the transmission is expressly authorized and done through approved channels.  Please contact the Associate Vice President of Information Technology if you have a question about establishing an approved channel for an authorized transmission.  Data in this category should only be accessible to employees with a need to know, and the data should only be transmitted through electronic means if the Confidential Data is encrypted. Examples of the type of information that is Confidential is provided in Appendix A.
  • Handling Requirements:
    1. Access: Limited to authorized individuals with a legitimate need-to-know.
    2. Storage and Transmission: Must be encrypted using approved encryption methods.
    3. Retention and Disposal: Must follow specific retention and disposal guidelines to ensure secure destruction.

b. Private Information (Medium Sensitivity):

  • Definition: Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that Data could harm the University’s image or reputation, or could undermine the confidentiality of University business, but would not necessarily violate existing laws, University policies, or University contracts. Data in this category is not routinely distributed outside the University and accessed or distributed within the University only on a need-to-know basis. Examples of the type of information that is considered Private is provided in Appendix A.
  • Handling Requirements:
    1. Access: Limited to authorized individuals based on job roles and responsibilities.
    2. Storage and Transmission: Should be protected using appropriate security measures, such as access controls and encryption, as necessary.
    3. Retention and Disposal: Must adhere to defined retention periods and secure disposal practices.

c. Public Information (Low Sensitivity):

  • Definition: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that Data would result in no harm to the University. Public Data has no legal or other restrictions on access or usage and may be open to the University community and the general public. Examples of the type of information that is considered Public is provided in Appendix A.
  • Handling Requirements:
    1. Access: Accessible to the general public and authorized personnel as needed.
    2. Storage and Transmission: No specific security requirements, but reasonable measures should be taken to ensure integrity and availability.
    3. Retention and Disposal: Follow standard retention and disposal practices.

Responsibilities

a. Data Owners:

  • Data owners are responsible for identifying and classifying the data under their control.
  • They must ensure appropriate protection measures are implemented based on the data classification level.

b. Users:

  • Users must adhere to the handling requirements and access restrictions specified for each data classification level.
  • They are responsible for reporting any potential data loss or security incidents promptly.

c. IT Department:

  • The IT department is responsible for implementing technical controls to enforce the protection requirements for each data classification level.
  • They must ensure that appropriate security measures, such as encryption, access controls, and monitoring, are in place.

Data Handling and Protection Measures

a. Access Controls:

  • Access to data should be granted on a need-to-know basis, following the principle of least privilege.
  • Strong authentication mechanisms, such as unique user IDs and passwords, should be implemented to protect sensitive data.

b. Encryption:

  • Confidential and Private Information must be encrypted during transmission and storage using approved encryption methods.

c. Data Storage:

  • Data storage systems should provide appropriate security controls, such as access controls, encryption, and regular backups.

d. Data Transmission:

  • Sensitive data should be transmitted over secure channels, such as encrypted connections and virtual private networks (VPNs).

e. Retention and Disposal:

  • Data should be retained only as long as necessary to fulfill legal, regulatory, and business requirements.
  • Secure disposal methods, such as shredding physical documents and secure erasure of electronic data, must be employed.

Compliance and Consequences

a. Compliance:

  • All faculty, staff, students, and contractors must comply with this policy.
  • Failure to comply may result in disciplinary action, including termination, as well as legal consequences.

b. Consequences:

  • Any suspected violations of this policy should be reported to the appropriate authorities for investigation.
  • Violations will be subject to disciplinary actions in accordance with the applicable policies and procedures.

Policy Review

  • This policy will be reviewed periodically and updated as necessary to reflect changes in technology, regulations, or organizational needs.
  • Any proposed changes to this policy must be reviewed and approved by [appropriate authority].

By implementing this Data Loss Prevention and Data Classification Policy, Rockhurst University aims to safeguard its sensitive information and ensure compliance with relevant regulations while promoting a secure data environment.