|Policy Category||Policy No. & Title||Policy Owner||Version No.||Effective Date||Review Cycle||Last Reviewed|
Information Governance, Security, and Technology
Policy on Data Classification
|VP & General Counsel||v.2||September 28, 2022||Every 3 years||July 1, 2021|
The University of Maryland Global Campus ("University") maintains a vast amount of Information to support its administrative and educational activities. Data Classification plays a critical role in the University's comprehensive approach to maintaining the Confidentiality, Integrity, Availability and/or Privacy of its Data. This Policy describes the roles, responsibilities, and procedures for classifying Data and for implementing and complying with the prescribed Data security measures.
This Policy applies to all University business operations across all University divisions and departments. This Policy applies to all University Employees, as well as contractors, consultants, temporary employees, and other third parties performing duties on behalf of the University. This Policy applies to all Information and Data processed by the University and all Information Resources.
The capitalized terms found in this Policy shall have the meanings below.
A. Availability: The principle of ensuring timely and reliable access to and use of Information based upon the concept of Least Privilege.
B. Business System Steward: An Employee who is responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an Information Resource.
C. Confidentiality: The principle of preserving authorized restrictions on Information access and disclosure, including means for protecting personal privacy and proprietary information.
D. Contractors: A person or a company that undertakes a contract to provide materials or labor to perform a service.
E. Controlled Unclassified Information (CUI): US Federal Government or Contractor created information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
F. Data: A subset of Information in an electronic format that allows it to be retrieved or transmitted.
G. Data Classification: The assignment of a classification to Data or sets of Data based on the impact to the University if the Confidentiality, Integrity, Availability of the Data is compromised.
H. Data Stewards: The UMGC employees, or designees, who are responsible for determining User access and assigning Data Classifications to data originating from or residing in their respective business units.
I. Employees: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate and adjunct faculty.
J. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
K. Information Governance Team: A group of representatives from the various functional areas of the University and third party subject matter experts as appropriate who are responsible for (i) providing interdepartmental oversight and strategic management of the University's Information and Information Resources; (ii) facilitating the integration of Privacy by Design into University operations; and (iii) supporting the development and review of Information Governance related policies and procedures across the University.
L. Information Resource: Anything that is intended to generate, store, or transmit Information.
M. Integrity: The principle of ensuring Records and the Information contained therein are accurate and Authentic by guarding against improper information modification or destruction.
N. Least Privilege: The security objective of granting an individual access to only such Informational Resources and records, and the Information contained therein, as necessary to perform the individual's job.
O. Privacy: The right of a party to maintain control over and Confidentiality of Information about itself.
P. Processed/Processing: Any operation or set of operations which is performed on Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Q. Technical System Leads: A University employee or individual working on behalf of the University who works to ensure that the Information System meets the business expectations around functionality and deliverable as well as the integration, modification, security, operation and maintenance, of an Information System.
IV. Data Management
A. All Data Processed by the University's Information Resources is the property of the University, to the extent permitted by law or contract.
B. The University shall designate Data Stewards. The Information Governance Team, established by UMGC Policy X-1.01 Information Governance, shall maintain a record of Data Steward designations.
C. When an Information Resource(s) is purchased or renewed, the Business System Steward is responsible for ensuring that the relevant Data Steward(s) is(are) notified in order for the Data Steward to carry out their responsibilities as provided herein.
D. Data should only be Processed by the University to satisfy a legitimate business purpose and in a legal manner.
E. Adequate controls must be in place to protect the Confidentiality, Integrity, and Availability of Data commensurate to its Data Classification.
F. UMGC's Information Governance Team is responsible for overseeing compliance with University System of Maryland (USM) IT Security Standards, and applicable federal, state, and local laws regarding Data Classification.
V. Data Classification
A. Data Stewards are responsible for ensuring Data Classifications are assigned appropriately to each type of Data they oversee and that a record of those classifications is maintained.
B. Data Stewards are responsible for ensuring that the assigned Data Classifications are provided to applicable Business System Steward(s) and Technical System Lead(s) upon initial designation.
C. After initial Data Classifications are assigned, Data Stewards may change the Data Classification for particular Data as needed. Data Stewards are responsible for ensuring that the updated classifications are provided to the applicable Business System Steward(s) and Technical System Lead(s) in a timely manner.
D. The Business System Steward and Technical System Lead shall oversee the implementation of appropriate controls commensurate with the Data Classifications within the particular Information Resource.
E. Data Stewards shall assign Data Classifications to Data based on the risk associated with improper disclosure for the particular type of Data as follows:
1. High Risk Data
a. University Data that (i) could be exploited for criminal or nefarious purposes; (ii) the University is obligated by state or federal statute or regulation to keep confidential; (iii) the University is contractually obligated to keep confidential, or (iv) are critical to the University's operational performance and cannot be easily replaced. The loss of Confidentiality, Integrity, or Availability of such Data would cause severe harm to individuals or the University operations, safety, finances and/or reputation if disclosed.
b. Trade secrets, inventions, mask works, ideas, processes, research, formulas, source and object codes, Data, programs, other works of authorship, know-how, improvements, discoveries, developments, designs, techniques, and any other proprietary technology that is owned by the University by law, policy or contract;
c. Business and financial information or trade secrets received from a third party, which is subject to a duty on the University's part to maintain the confidentiality of such information; and
d. Records pertaining to the University's competitive position with respect to educational services, including but not limited to records addressing fees, tuition, charges, and supporting information held by the University (other than fees published in catalogs and ordinarily charged to students), proposals for the provision of educational services other than those generated, received or negotiated with its students, and research, analysis, or plans relating to the University's operations or proposed operations.
e. Examples of such Data include, but are not limited to:
ii. Education records
iii. Medical records
iv. Financial information
v. Controlled Unclassified Information (CUI)
vi. Confidential information about University donors
vii. Databases used for tax, health care, payroll
viii. University-associated Account username(s) in combination with password(s)
2. Moderate Risk Data
a. University Data that are not available to the public. The loss of the Confidentiality, Integrity, or Availability would cause limited harm to individuals or the University's operations, safety, finances, and/or reputation. Data that were created or received primarily for use by the University or its Employees, Contractors, vendors, consultants, volunteers, students, alumni, donors, agents, or representatives for the University's legitimate business purposes and can reasonably be expected to be secured from public view.
b. By default, all University Data that are not explicitly classified as High Risk Data or Low Risk Data shall be classified as Moderate Risk Data.
c. Examples of such Data include, but are not limited to:
i. University research not considered High Risk
ii. Non-public reports, budgets, operation plans
3. Low Risk Data
a. University Data that contain any Information that is already available to the general public or is required by law, policies, procedures, contract or otherwise to be made available to the general public with no legal restrictions on its access or use. The loss of the confidentiality, integrity, or availability would cause little to no harm to individuals or the University's operations, safety, finances, or reputation.
b. Examples of such Data include, but are not limited to:
i. Information found on the University's publicly facing website
ii. University published marketing collateral
F. Combination of Data
1. If a set of Data contains multiple types of Data with different Data Classifications, Data Stewards are responsible for ensuring that at least the highest Data Classification that was applied to a particular Data element within that Data set is assigned to the entire Data set.
2. If a set of Data contains multiple types of Data with the same Data Classifications, Data Stewards are responsible for ensuring that a determination is made whether the Data set requires a higher level of Data Classification and if so, shall ensure that the higher classification is assigned accordingly.
VI. Yearly Review
A. Data Stewards shall validate all applicable Data Classifications with the relevant Business System Steward(s) and Technical System Lead(s), in conjunction with the Data Protection Officer, as needed, or at least yearly, and update as necessary.
A. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Office of Human Resources as soon as practical.
B. Data Stewards, in consultation with the Office of Human Resources, may instruct Business System Stewards and Technical System Leads to take down and remove content that violates this Policy as well as confiscate or temporarily suspend or terminate the use of Information Resource.
C. Employees or Contractors who violate this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
VIII. Effective Date: This policy is effective as of the Effective Date set forth above.