Internal - Faculty & Staff

Data Classification & Secure Storage Policy

The following data classification model is based on the guidelines from NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories and provides an overview of the types of data that is owned by Simmons categorized by the potential business risk.

Restricted

Data is classified as Restricted when the unauthorized disclosure or destruction of that data could cause a significant risk to the organization’s reputation, resources, services, individuals, or its affiliates, and as such, the highest level of security controls will be applied to this data. Restricted data is often protected by state or federal privacy regulations (e.g. HIPAA, GLBA) and/or confidentiality agreements. Simmons Information Security Policy defines sensitive information as an individual’s name, address, or telephone number combined with any of the following:

  • Social security number or taxpayer ID number
  • Financial account, credit or debit card number
  • Financial/salary data
  • Driver’s license number
  • Date of birth
  • Medical or health information protected under state or federal law (e.g. HIPAA)
  • Access codes, security codes or passwords that would permit access to sensitive information

Additional examples of restricted data include private encryption keys and student loan application data.

Private

Data is classified as private when the unauthorized disclosure or destruction of that data could cause a high risk to the organization’s reputation, resources, services or individuals. Examples of private information would include: student data protected under state or federal law (e.g. FERPA), merchant IDs, risk & information security assessments, library circulation records, attorney-client data, donor information, networking, critical infrastructure plans or diagrams, tokens/passcodes.

Internal Use

Data is classified as Internal Use when the unauthorized disclosure or destruction of that data could cause a moderate risk to the organization’s reputation, resources, or services. Most data that is used to conduct business operations or transmitted between departments would be considered Internal Use. Examples of internal use information would include contracts, software license keys, nonpublic network addresses, business continuity plans, copyright/patent/trademark information, home address, emergency contact information.

Public

Data that is typically publicly accessible, requires minimal security controls, and pose little or no risk to the organization’s reputation, resources, services, or individuals.

The following matrices depict the appropriate storage and transmission methods based on the data classification model and will be used as a general guideline for “what data can be stored where”. These storage and transmission practices conform with the Mass 201 CMR 17.03(2)(c).

  • Restricted: Due to legal restrictions or security concerns, some legally protected and highly sensitive information must not be stored on Google Apps or other “cloud-based” systems, including Google Mail.
  • Private: Can be stored on Simmons Google Drive, except as noted below, and with caution.
  • Internal Use Only: Acceptable to store on Simmons Google Drive, except as noted below, and with caution.
  • Public: Acceptable to store on Simmons Google Drive
Data Classification Secure Storage Policy Table
Click To View Full Table