Professional Documents
Culture Documents
PROCEDURE:
DATA CLASSIFICATION AND
HANDLING
1.0 PURPOSE
Classification of data is a critical element of any mature information security program and
fundamental to securing Hamilton College information assets. This procedure has been
developed to assist, provide direction to and govern all entities of the organization regarding
identification, classification and handling of information assets.
2.0 PROCEDURE
1 of 10
Hamilton College September 2016
Examples:
It is important to place the responsibility for the classification and control of an information
asset with an individual or role. This should be an individual in a managerial position. If
multiple individuals are found to be “owners” of the same information asset, an individual
owner should be designated by a higher level of management.
The information owner is responsible for determining the information’s classification and how
and by whom the information will be used.
Examples:
2 of 10
Hamilton College September 2016
Use the flowchart below to identify the levels for classification for the confidentiality, integrity
and availability of each information asset. Classification of data will be based on specific, finite
criteria as identified in the Federal Information Processing Standard Publication 199 (FIPS-199).
Please see Appendix A for details on FIPS-199 categories.
3 of 10
Hamilton College September 2016
4 of 10
Hamilton College September 2016
5 of 10
Hamilton College September 2016
Examples:
The classification of a data asset will consist of all three categories (Confidentiality, Integrity
and Availability) and will be in accordance with the FIPS199 standard. The classification can be
against a data type and/or an entire information system (i.e. a Social Security number or the
entire Colleague System.
6 of 10
Hamilton College September 2016
The generalized format for expressing the security category, SC, of an information system is:
Note that the value of not applicable cannot be assigned to any security objective in the context
of establishing a security category for an information system. This is in recognition that there is
a low minimum potential impact (i.e., low water mark) on the loss of confidentiality, integrity,
and availability for an information system due to the fundamental requirement to protect the
system-level processing functions and information critical to the operation of the information
system.
AND
representing the high water mark or maximum potential impact values for each security objective
from the information types resident on the Colleague system.
7 of 10
Hamilton College September 2016
Information assets shall be handled according to their prescribed classification, including access
controls, labeling, retention policies and destruction methods, among others.
In general, controls assigned by Data Asset Owners will deal with the confidentiality category of
the data. The categories representing Integrity and Availability will be used to guide the
approaches taken by Hamilton College to protect against the loss or corruption of the data
(usually at the system level by LITS personnell).
The control for each classification category (C,I,A) should be considered with respect to the
corresponding rating. The following is a partial list of controls to be applied to data assets,
based on their classification.
Controls Key
C=Confidentiality
High Moderate Low Prohibited
I=Integrity
A=Availability
Access • Strong • Password(s) • Access request, • N/A
(C) password(s) • Access request, review, approval
• Access request, review, approval and termination
review, approval and termination process
and termination process
process • Secure storage
• Asset Owner- when not in use
approved access • Situational
• Non-Disclosure awareness for
Agreement (NDA) verbal
for third-parties communications
• Immediate
retrieval when
printing or faxing
• Secure storage
when not in use
• Situational
awareness for
verbal
communications
8 of 10
Hamilton College September 2016
Controls Key
C=Confidentiality
High Moderate Low Prohibited
I=Integrity
A=Availability
monitoring and
alerting
• Privileged identity
monitoring
• Offsite backup
• Secure physical
storage
9 of 10
Hamilton College September 2016
10 of 10