Data Classification Best Practices
Internal and external distribution of sensitive data should be classified to better manage media of varying types.
KCTCS has a signed Business Associate's Agreement (BAA) with Microsoft to reasonably safeguard personal data against inappropriate use and or disclosure. Users needing to store and or share their private data using OneDrive, should turn on auditing. If an account is compromised, auditing allows a user to see when a file was created, who and when it was read, who edited the file and or even searched for it. This is important information to have in the event of any account compromises.
What is sensitive data and how can it be defined?
According to KCTCS policy 4.2.5, section 188.8.131.52, sensitive data can be classified into three subtypes:
Classification Types and Data Elements
Confidential information, the highest level of sensitivity, is defined as information that could cause substantial damage to or liability by KCTCS if treated irresponsibly.
Confidential Information is defined by substantial damage to or liability by KCTCS if treated irresponsibly. This information is subject to disclosure upon appropriate legal and administrative review.
Restricted information is defined by the need for special safeguards beyond that taken for public information.
Public information, the lowest level of sensitivity, may be released according to rules, guidelines, and definitions developed to safeguard the information entrusted to KCTCS.
The goal of information security, as stated in the KCTCS Information Security Policy, is to protect the confidentiality, integrity and availability of Institutional Data. Data classification reflects the level of impact to the KCTCS if confidentiality, integrity or availability is compromised.
|Foundation Donor Information - all data in Donor Database||Confidential|
|Health Information (Email, Medical Records, Patient Information, Dates, Certain Business Numbers, etc…)||Confidential|
|Social Security number||Confidential|
|Driver's License number||Confidential|
|All payment card data (including all credit/debit cards and cardholder information)||Confidential|
|Bank Account Number or other financial account numbers||Confidential|
|Student Loan Information (Account Numbers, Credit Information, etc.)||Confidential|
|Passwords, passphrases, PIN numbers, security codes, access codes||Confidential|
|Student Academic Transcript||Confidential|
|Student Country of Birth or Citizenship||Confidential|
|Country of birth or citizenship||Restricted|
|Job action reason (e.g. terminations or leave)||Restricted|
|Benefits enrollment info||Restricted|
|Payroll information (e.g. taxes, deductions, etc.)||Restricted|
|Date of Birth/Age, place of birth||Restricted|
|Name – Employee/Student||Public|
|Dates of first and last employment||Public|
|Business Telephone Number||Public|
|Previous work experience||Public|
|Education & Training Background||Public|
|Home Mailing Address||Public|
Major field of study