Information Classification Standard
- References: Integrated CSU Administrative Manual (ICSUAM)
- Issue Date: December 2007
- Revision Date: November 2018
- Expiration Date: N/A
- Web Link: N/A
-
Purpose
ӰState University, Long Beach’s databases and files, regardless of format, are essential public resources that must be protected from unauthorized use, access, disclosure, modification, loss, or deletion. However, the appropriate level of physical, technical and administrative safeguards necessary to provide protection is relative to the value, legal requirements, sensitivity and criticality of the information.
-
Scope
This Standard applies to all records, regardless of medium that are collected, generated, and/or maintained by ӰState University, Long Beach except where superseded by grant, contract, or federal copyright law and to all employees of Ӱ and Ӱ auxiliary organizations.
-
Roles and Responsibilities
Roles and responsibilities associated with Information Classification are as follows:
- The CSU Office of the Chancellor is responsible for identifying Level 1 Confidential Information.
- University Information Security Officer is responsible for assisting Division Information Security Officers in the identification of information types within their respective area and determining classification levels. The University Information Security Officer is also responsible for conducting an annual review of this Standard and amending it as appropriate.
- Division Information Security Officers are responsible for guiding compliance with this Standard within their respective college, department, administrative area, or organization.
Information Classification
The ӰState University identifies three (3) classification levels of information based on the value, legal requirements, sensitivity and criticality assigned to them. These levels are:
Aggregates of information are classified based upon the most secure classification level. That is, when information of mixed classifications exists in the same file, document or other written form*, the entire file, document, etc. shall be classified at the most secure classification level.
*Written form is defined as any handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting by electronic mail or facsimile, and every other means or recording upon any tangible thing and form of communication or representation, including letters, words, pictures, sounds, or symbols, or combinations thereof, and any record thereby created, regardless of the manner in which the record has been stored.
Level 1 – Confidential
This is information maintained by the University which is exempt from disclosure under the provisions of the ӰPublic Records Act or other applicable state or federal laws. The unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of confidential information could result in severe damage to Ӱ, its students, employees, or customers. Financial loss, damage to Ӱ’s reputation, and legal action could occur. Confidential information is intended solely for use within Ӱ and limited to those with a “business need-to-know.” Disclosure of confidential information to persons outside of the University is governed by specific standards and controls designed to protect the information.
Level 1 Confidential Information includes but is not limited to:
Notice-triggering Personal Information1
- Biometric Information
- Electronic or digitized signatures
- Private Key (digital certificate)
- Medical and Psychological counseling records
- Forms of national or international identification (such as passports, visas, etc.), in combination with name
- Criminal background check results
- Passwords or credentials
- Cardholder Data
Information contained on a credit card including the cardholder name, the primary account number (PAN), service code, expiration date, full magnetic stripe data, CAV/CVC2/CVV2/CID, and PIN/PIN blocks.
Medical Information
Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Health Insurance Information
An individual’s health insurance policy number or subscriber identification number; any unique identifier used by a health insurer to identify the individual; or any information in an individual’s application and claims history, including any appeals records.
Financial Information
Personal information which includes, but is not limited to, an individual’s number of tax exemptions, amount of taxes or OASDI withheld, amount and type of voluntary/involuntary deductions/reductions, survivor amounts, net pay and designee for last payroll warrant.
Protected Health Information
Individually identifiable information created, received, or maintained by health care providers or health plans sufficient to allow identification of the individuals such as the individual’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
Technical Security Information
Law Enforcement Information
Library Patron Information
Library database for faculty, staff, students and community borrowers which may contain:
Legal Information
Contract Information
1 and other legal statutes, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The campus refers to this as Notice-triggering Personal Information.
Level 2 – Internal Use
This is information which must be protected due to proprietary, ethical or privacy considerations. Although not specifically protected by statute, regulation, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could result in financial loss, damage to Ӱ’s reputation, violate an individual’s privacy rights or legal action could occur.
Level 2 Internal Use Information includes, but is not limited to:
Identity Validation Keys (name with)
Campus Identification Keys
Student
Employee Information
- Net salary
- Employment history
- Home address
- Personal telephone numbers
- Personal email address
- Parents and other family members names
- Payment history
- Performance evaluations
- Pre-employment background investigations
- Mother’s maiden name
- Birthplace (City, State, Country)
- Race and Ethnicity
- Gender
- Marital Status
- Physical description
- Photograph
Alumni Information
Job Applicant Information
University Donor Information
University Research
Library Circulation Information
Other
Level 3 - Public
This is information that is generally regarded as publicly available. Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus. Knowledge of this information does not expose Ӱ to financial loss or jeopardize the security of Ӱ’s information assets. Prior to disclosure, public information may be subject to appropriate campus review or procedures to mitigate any potential risks of inappropriate disclosure.
Level 3 Public Information includes, but is not limited to:
Employee Information (including student employees)
- Level 1 - Confidential
- Level 2 - Internal Use
- Level 3 - Public
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social Security Number.
- Driver’s license or Ӱidentification card number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Medical information.
- Health insurance information.
- Information or data collected through the use or operation of an automated license plate recognition system, as defined in CA Civil Code §1798.90.5.
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account
- Vulnerability/security information related to campus systems or services
- Law enforcement records related to an individual
- Law enforcement home address information
- Home Address
- Home Phone
- Social Security Numbers
- Legal investigations conducted by the University
- Attorney/Client communications
- Sealed bids
- Third party proprietary information per contractual agreement
- Birth date (full: mm-dd-yy)
- Birth date (partial: mm-dd only)
- Campus identification number
- User ID (do not list in a public or an aggregate list when it is not the same as the student email address)
- FERPA educational records including full directory information (the release of all FERPA directory infomation has to be approved by the FERPA officer to ensure the disclosure of education records is controlled according to a student's request)
- Student's name
- Addresses
- Telephone numbers
- Email addresses
- Date of birth
- Previous educational institution(s)
- Participation in official activities and sports
- Weight and height of athletes (The Director of Athletics may provide information concerning participation of students in athletic events including the height and weight of athletes)
- Dates of attendance
- Major
- Year of School
- Full or part time status
- Degrees and awards
- Photos
- Note: FERPA educational records to be never disclosed, unless under specific approval by the campus FERPA officer:
- Grades
- Grade point average
- Gender
- Social Security Number (or part of an SSN)
- Country of citizenship
- Race and ethnicity
- Religious affiliation
- Courses taken
- Schedule
- Test Scores
- Advising records
- Educational services received
- Disciplinary actions
- Same as Employee Information
- Same as Employee Information
- Same as Employee Information
- Trade secrets or intellectual property
- Information which links a library patron with a specific subject the patron has accessed or requested
- Location of critical or protected assets
- Licensed software
- Patron information (for athletics, theater events, etc.), such as home address, email, etc.
- Title
- Status as a student employee (such as TA, GA, ISA)
- Campus e-mail address
- Work location and telephone number
- Employing department
- Position classification
- Gross salary
- Name (first, middle, last)(except when associated with confidential information)
- Signature
-
INFORMATION PROTECTION REQUIREMENTS
Information must be protected when handled, transmitted, stored, and disposed based on its classification level. Safeguards to protect university information assets are found in the below matrix.
This matrix describes the protection measures required for each information classification level:
Confidential
Level 1Internal Use
Level 2Public
Level 3Handling All workstations that store or access level 1 information must comply with the CSU Configuration Management - High-Risk/Critical Workstation Standard ICSUAM 8050.S200.
Please also refer to the Clean Desk and Clear Screen Standard.
Please refer to the Clean Desk and Clear Screen Standard. No restrictions Transmitting
Distribution:
Limited to those employees with an established business need-to-know and are either Ӱ employees or who someone who has signed a confidentiality agreement.Distribution:
Transmission only to Ӱ employees and those individuals with a business need-to-know.No restrictions Electronic Mail (email or attachments to email:
May be sent within the Ӱ email system (@csulb.edu) but not over a public network unless password protected or encrypted.All email transmissions of confidential information must contain the follow statement: “The information contained in this email message or its attachment is confidential. Dissemination or copying of this email is strictly prohibited. If you think that you have received this email in error, please email the sender.”
Electronic Mail (email or attachments to email):
May be sent within the Ӱ email system (@csulb.edu) or over a public network to persons with a business need-to-know.Mail (hard copy):
Printed information may be sent through intercampus or U.S. mail but must be sealed in a plain envelope clearly marked, “To be Opened by Addressee Only”.Mail (hard copy):
Printed information may be sent through intercampus or U.S. mail with no special markings or handling.FAX:
Authorized only from and to Ӱ FAX machines. Information may not be sent to public FAX machines.FAX:
Same as Level 1Telephone:
Authorized, but only to CSU employees and others with a business need-to-know.Telephone:
Same as Level 1Storage
Must be stored on secured servers (please contact security@csulb.edu for specifics) or campus approved cloud storage - Office 365 One Drive for business or SharePoint Online.
When access to a secure server is not available and when approved by the appropriate administrator, Level 1-Confidential Information may be stored on University owned laptops, desktops or portable electronic storage media. In such cases, laptops, desktops and portable electronic storage media storing level 1 data must be encrypted and tagged according to the university’s Property Management procedures. See Note 2.
Level 1 information may not be stored on personal equipment such as personal laptops, personal desktops, personal digital assistants (PDAs) iPods® or cell phones (such as BlackBerry®, Treo®, and iPhones®.
See Note 1 for prohibitions regarding the storage of specific Payment Related Data.
Printed level 1 information must be secured in a locked enclosure.
Secured servers (please contact security@csulb.edu for specifics) or campus approved cloud storage - Office 365 One Drive for business or SharePoint Online recommended.
May be stored on University owned encrypted laptops or encrypted portable electronic storage media. May also be stored on desktops, but if it involves large volumes of level 2 data, encryption of desktop is required.
Level 2 information may not be stored on personal equipment such as personal laptops personal desktops, personal digital assistants (PDAs) iPods® or cell phones (such as BlackBerry®, Treo®, and iPhones®).
Storage on secured servers or campus approved cloud storage - Office 365 One Drive for business or SharePoint Online strongly recommended.
Retention
Records of any type of medium, such as paper, microfiche, magnetic, or optical, shall not be retained beyond the minimum retention period identified in the CSU Record Retention Schedule.
Same as Level 1 Same as level 1 Disposition Proper Media Sanitization Methods are described, below. Same as Level 1 Normal waste disposal The Primary Account Number (PAN) may not be stored unless encrypted.
The following types of payment related data may not be stored even if encrypted:
Note 2: If an unencrypted computer or hard drive with level 1 data is missing (stolen or lost), the University is required by law to activate security breach protocol/procedure. The department will have to bear the costs related to the breach notification requirements.
- Sensitive authentication data, which includes, but is not limited to, all of the following:
- The full contents of any data track from a payment card or other payment device
- The card verification code or any value used to verify transaction when the payment device is not present
- The personal identification number (PIN) or the encrypted PIN block
- Any payment related data that is not needed for business purposes.
- Any of the following data elements:
- Payment verification code
- Payment verification value
- PIN verification value
- Sensitive authentication data, which includes, but is not limited to, all of the following:
-
Information Disposal Requirements
To protect the confidentiality of information and the related privacy rights of Ӱ students, faculty, staff, donors, patrons, vendors, and others, Level 1 and Level 2 information contained in all software and/or computer files, storage media devices and hard copy must be sanitized prior to disposal. The sanitization process ensures that recovery of information is not possible. Several methods can be used to sanitize media; however, the two major types of sanitization are Clearing and Destroying.
Clearing – Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items does not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities and must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting is an acceptable method for clearing media. The security goal of overwriting is to replace written data with random data.
There are several overwriting software products to overwrite storage space on media. Ӱ Network Services provides software tools and instructions to securely clean the data from ATA based hard drives and other storage media. Overwriting cannot be used for media that are damaged or not rewritable. In such cases, media should be destroyed.
Destroying – Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods. Hard copy destruction can be accomplished using a variety of methods, with cross-cut shredding being the most common practice. Straight cut shredding is not a compliant destruction method. Departments may shred media on site or contact Procurement and Support Services for a listing of approved document destruction vendors.
For additional information regarding the disposal of electronic storage media, please refer to the Ӱ Electronic Media Sanitization Process.
The matrix below describes the disposal methods for level 1 and level 2 data/records:
Hard Copy Storages
Media Type Method Paper Physically destroy by shredding (cross-cut shredder) or campus authorized document destruction service contractor.
In order to use the campus authorized document service contractor, please log into the 'Forms' chiclet within campus Single Sign-On. Click on the 'Forms' link, then search for 'Service Provider Activation Request' Form. Please refer to the Purchasing website link Document Destruction - Purchase & Pay for further information.
Microforms Physically destroy by shredding (cross-cut shredder) or campus authorized document destruction service contractor.
Please see instructions for paper above.
Hand-Held Devices
Media Type Method Cell Phones Manually delete all information, then perform a full manufacturer’s reset to reset the cell phone back to its factory default settings. Personal Digital Assistant (PDA) (Palm, PocketPC, other) Manually delete all information, then perform a manufacturer’s hard reset to reset the PDA to factory state. Equipment
Media Type Method Copy Machines Perform a full manufacturer’s reset to reset the copy machine back to its factory default settings Fax Machines Perform a full manufacturer’s reset to reset the fax machine back to its factory default settings Magnetic Memory Storage
Media Type Method Floppies Overwrite by using university-approved and validated overwriting technologies/methods/tools, or degauss.
For more information refer to the Ӱ Electronic Media Sanitization Process.
IDE (Integrated Drive Electronics) Hard Drives Overwrite by using university-approved and validated overwriting technologies/methods/tools, or degauss.
For more information refer to the Ӱ Electronic Media Sanitization Process.
Serial ATA (Advanced Technology Attachment) Drives Overwrite by using university-approved and validated overwriting technologies/methods/tools, or degauss.
For more information refer to the Ӱ Electronic Media Sanitization Process.
SSD (Solid State Drives) Special destruction services required. Please contact security@csulb.edu for destruction. Zip Disks Overwrite by using university-approved and validated overwriting technologies/methods/tools, or degauss.
For more information refer to the Ӱ Electronic Media Sanitization Process.
SCSI (Small Computer System Interface) Drives Overwrite by using university-approved and validated overwriting technologies/methods/tools, or degauss.
For more information refer to the Ӱ Electronic Media Sanitization Process.
Reel and Cassette Format Magnetic Tapes Clear magnetic tapes by either re-recording (overwriting) or degaussing.
Overwriting should be performed on a system similar to the one that originally recorded the data. For example, overwrite previously recorded classified or sensitive VHS format video signals on a comparable VHS format recorder. All portions of the magnetic tape should be overwritten one time with known nonsensitive signals.
Magnetic Cards Overwrite media by using university-approved and validated overwriting technologies/methods/tools, or physically destroy by shredding. Optical Disks
Media Type Method CDs Physically destroy by shredding. DVDs Physically destroy by shredding. Static Memory Storage
Media Type Method Compact Flash Drives or USB/Memory Sticks Overwrite media by using university approved and validated overwriting technologies/methods/tools. Flash Cards Perform a full chip purge as per manufacturer’s data sheets. Smart Cards Overwrite media by using university-approved and validated overwriting technologies/methods/tools. PCMCIA (Personal Computer Memory Card International Association Cards) Overwrite media by using university-approved and validated overwriting technologies/methods/tools. RFID (Radio-Frequency Identification) Overwrite media by using university-approved and validated overwriting technologies/methods/tools. Items Not Listed Above
Media Type Method Other Memory Devices Contact your area computer technician or security@csulb.edu for the best method of sanitization. Unlisted Technologies For electronic technologies not listed in the above table, please contact security@csulb.edu.
Further Information
For further information or assistance, contact your designated computer technician or security@csulb.edu.