| Category | Classification |
|---|---|
Level 1 (PII) Confidential | Data governed by existing law or statute, such as:
|
Level 2 Internal | Information that must be protected because of ethical or privacy concerns, such as grades, disciplinary actions, or student photo
|
Level 3 General | Information such as title, email address, or other directory information that is freely available in the public domain
|
CSU, Chico Data Classification and Protection Standards! (PDF)
What is Protected Information?
"Protected information" is an umbrella term for information that is linked to an individual person's identity, such as Social Security numbers, drivers' license data, and credit card or bank account information (sometimes called Personally-Identifiable Information, or PII) and which can be used to facilitate identity theft. Universities in particular have become attractive targets for hackers because of the freedom with which information is exchanged in an educational environment. Chico State University, like other institutions, is legally required to be vigilant and proactive in the protection of PII that's been entrusted to us.
Data Classification and Protection Standards
Data Classification and Protection Standards (PDF) have been developed by CSU, Chico to classify various types of information as outlined below:
- Level 1 protected data: Confidential information governed by existing law or statute such as Social Security numbers and names, credit card numbers with cardholder names, or medical records related to an individual.
- Level 2 private data: Internal use information that must be protected due to ethical or privacy concerns such as student grades, courses taken, or disciplinary actions.
- Level 3 public (not protected) data: General information such as a person's title, email address, or other directory information that is available in the public domain.
Detecting Protected Information
The University is required to inventory protected information stored on campus systems. Beginning fall 2014, the campus will provide tools to help locate, protect, or delete confidential Level 1 protected data stored on University computers.
Handling Protected Data
If you find protected data on a system under your control, the following options are available to you:
- If it no longer meets a business need - destroy it
- Paper Shredding Guidelines
- If it needs to be kept - move it to a secure and labeled CD or other offline location, or to a secure server, and ensure that it is encrypted.
- If the protected data is not essential to the document containing that data, edit it to remove the sensitive data
- Protected Data: Online Cloud Storage and Email
Remember that CSU, Chico protected data may only be kept on campus systems.
Storage of Protected Data
Level 1 and Level 2 data must be protected.
Neither Level 1 Confidential data nor Level 2 Private data should be stored on university–owned personal computers (desktop or laptop), other electronic storage media (e.g., cd, DVD, or flash drive) or other electronic devices (e.g., mobile devices, smart phones, tablets) unless University data security requirements commensurate to the data classification level are met. Level 1 and Level 2 data should be removed when the business justification for storage no longer exists, or when required by records retention schedule. Level 2 Private data for students enrolled in the current semester may be stored on University and non-university owned computers during the current term only. At the end of the term, such data should be removed to an appropriate, secure archive medium and location or encrypted.
Systems and electronic storage devices used to store Level 1 Confidential or Level 2 Private must meet minimum CSU Chico, desktop security standards available here CSU, Chico mandated security standards. (PDF)
Level 1 Confidential data stored on university–owned computers (desktop or laptop), other electronic storage media (e.g., cd, DVD, or flash drive) or other electronic devices (e.g., mobile devices, smart phones, tablets) must be encrypted using University-approved encryption methods.
Under no circumstance should Level 1 Confidential data be stored on computers, other storage media, or other electronic devices not owned by the California State University, its auxiliaries or its foundations or centers.
Cloud Storage
Cloud Computing Security(opens in new window) - Cloud computing security, including Software as a Service (SaaS), makes use of the cloud computing infrastructure to deliver one application to many users, regardless of their location. Cloud storage of files can expedite collaboration and sharing of information, however users need to be aware that CSU, Chico explicitly forbids the storage of University Level 1 Protected Information and restricts the storage of Level 2 Private Information.
The following table outlines the data classification and proper handling of CSU, Chico data:
Data Classification | Level 1 Protected | Level 2 Private Internal | Level 3 Public General | Non-University Data | |
|---|---|---|---|---|---|
Local Storage (on your computer) | Ⓧ | Incidental Use Allowed | Incidental Use Allowed | Incidental Use Allowed | |
Cloud Storage Approved by University | CSU Chico* Box | Ⓧ | ✓ | ✓ | Incidental Use Allowed |
CSU Chico* Box Level 1 Folder | ✓ | Incidental Use Allowed | Ⓧ | Ⓧ | |
CSU Chico* Sharepoint/O365/ OneDrive/Google Apps | Ⓧ | Incidental Use Allowed | ✓ | Incidental Use Allowed | |
Non-CSU Chico Google, Box, Dropbox & O365 | Ⓧ | Ⓧ | Ⓧ | ✓ | |
*Only services contracted by and supported by the University ✓Allowed ⓍNot Allowed | |||||
Level 1 Protected Data - Confidential | (PII) Social Security number and name, driver's license number and name, and credit card numbers (ePHI) Health Information | ||||
Level 2 Private Data -Internal | Information Must be protected because of ethical or privacy concerns, such as grades, disciplinary actions, or student photos
| ||||
Level 3 Public Data - General | Information such as title, email address, or other directory information that is freely available in the public domain | ||||
Non-University Data | Personal files, instructional documents, syllabus | ||||
Schedule Series | Department |
|---|---|
1.0 Personnel/Payroll | AVP for Staff Human Resources |
2.0 Fiscal | AVP Financial Services, University Budget Director |
3.0 Environmental Health & Safety | Director, Environmental Health & Safety |
4.0 Student Records | University Registrar |
5.0 Facilities | Director, Facilities Management and Services |
6.0 University Police | Chief of Police |
7.0 University Advancement | Director of Advancement Services and Annual Fund |
8.0 Academic Personnel | Int. Associate Vice President for Academic Personnel |
9.0 Curriculum & Accreditation | Dean of Undergraduate Education |
10.0 Grants & Sponsored Programs | Dean of Undergraduate Education/Int. AVP Academic Programs |
11.0 Institutional Records | Chief of Staff |