Effective Date: December 1, 2007
Revised: February, 2013
Data classification is a method of assigning a level of sensitivity to data. The classification of the data determines the extent to which it needs to be controlled and secured. This policy defines the required data protection criteria based on its classification and sensitivity.
Reason for the Policy
The classification of data, information, and documents is essential to differentiate between non-sensitive and sensitive / confidential information. When data is stored, created, amended or transmitted, it should be appropriately classified and protected in accordance to the sensitivity level.
Primary Guidance to Which This Policy Responds
This policy responds to all applicable federal and state statutes pertaining to protection of sensitive and confidential information. These statutes include, but are not limited to, the New York State Law, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry Data Security Standard (PCI DSS).
Responsible University Office & Officer
The office of Columbia University Information Technology Security is responsible for the maintenance of this policy, and for responding to questions regarding this policy. The Chief Information Security Officer (CISO) is the responsible officer.
This policy was established in December 2007.
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control Columbia University electronic information resources. Those individuals covered include, but are not limited to faculty, staff, students, those working on behalf of the University, and individuals authorized by affiliated institutions and organizations.
Who Should Know This Policy
Anyone who accesses, uses, or controls Columbia University electronic information resources should be familiar with this policy.
Exclusions & Special Situations
Existing systems and applications containing sensitive and confidential information which cannot use encryption because of technology limitation but have compensating controls may be granted special waiver. However, these systems and applications must still be thoroughly risk assessed to ensure that major risks are addressed via compensating controls to protect the data in lieu of not using encryption.
See Full Policy Text at right