Data Classification
Sinclair Information Classification Matrix
Updated 9/23/13
|
Type of Information |
Primary Owner or Repository |
Confidentiality Classification |
Applicable Legislation or Standard |
|---|---|---|---|
|
Campus Police/Law Enforcement records |
Campus Police |
Confidential |
|
|
Checking account (accounts payable) information |
Accounting |
Confidential |
|
|
Student Class Schedules |
RSR |
Confidential |
FERPA |
|
College Credit Card Information |
Accounting/Purchasing |
Confidential |
PCI, |
|
Degree awarded and date |
Registrar |
Public |
FERPA |
|
Digitally captured identification photos |
RSR/Departments |
Public (Directory) |
FERPA |
|
Direct Deposit account information |
Payroll |
Confidential |
ORC 1345,1347,1349 |
|
Donor information |
Foundation |
Confidential |
ORC 1345,1347,1349 |
|
E-mail address (Sinclair provided) |
ITS |
Public |
|
|
Employee Background Checks |
HR |
Confidential |
|
|
Employee Contracts |
HR/Department |
Confidential |
|
|
Employee degrees, certificates, or awards earned |
HR |
Public (Directory) |
|
|
Employee dental insurance Records |
HR |
Confidential |
HIPAA |
|
Employee Disability/ Health records |
HR |
Confidential |
HIPAA |
|
Employee health insurance records |
HR |
Confidential |
HIPAA |
|
Employee individual benefit details |
HR |
Confidential |
HIPAA |
|
Employee name |
HR |
Public (Directory) Unless name is linked to SSN, Driver License, or other personal identifying information |
ORC 1345,1347,1349 |
|
Employee personnel records |
HR |
Confidential |
ORC 1345,1347,1349 |
|
Employee previous educational institution affiliation |
HR |
Public (Directory) |
|
|
Employee salary information |
HR/Payroll |
Confidential (NOTE: Data may be officially ‘public record’ but is treated as confidential for routine access/use) |
|
|
Employee SCC email address |
ITS |
Public (Directory) |
|
|
Employee SCC telephone number |
HR |
Public (Directory) |
|
|
Employee home phone number |
HR |
Internal Use Only |
|
|
Employee time/attendance information |
HR/Payroll |
Confidential. (NOTE: Data may be officially ‘public record’ but is treated as confidential for routine access/use) |
|
|
FAFSA |
Financial Aid |
Confidential |
FERPA, GLBA |
|
Financial Aid / Grants |
Financial Aid |
Confidential |
FERPA, GLBA |
|
Financial Aid Applications |
Financial Aid |
Confidential |
FERPA, GLBA |
|
Grades |
Registrar |
Confidential/ Aggregate may be Public |
FERPA |
|
Honors Status |
Registrar |
Public |
FERPA |
|
Parent and Student Tax Returns, and verifying information (i.e. W-2, verification worksheets) |
Financial Aid |
Confidential |
FERPA, GLBA, ORC 1345,1347,1349 |
|
Payroll advices |
Payroll |
Confidential |
ORC 1345,1347,1349 |
|
Salary |
HR/Payroll |
Confidential (NOTE: Data may be officially ‘public record’ but is treated as confidential for routine access/use) |
|
|
Scholarship Details |
Financial Aid |
Confidential – Directory information may be released, i.e. announcing award winner/recipient names. |
FERPA, GLBA |
|
SSNs |
HR/RSR |
Internal Use Only – Confidential when linked with name |
ORC 1345,1347,1349 |
|
Student address |
RSR |
Public (Directory) |
FERPA |
|
Student athlete’s weight and height |
RSR |
Public (Directory) |
FERPA |
|
Student Conduct |
Student Affairs |
Confidential |
FERPA |
|
Student dates of enrollment |
RSR |
Public (Directory) |
FERPA |
|
Student degrees or certificates earned |
RSR |
Public (Directory) |
FERPA |
|
Student Financial information (Bank Accounts, Wire Transfers, Payment History. Fee Bills) |
Financial Aid/ Bursar |
Confidential |
FERPA, GLBA |
|
Student Disability/ Health records |
RSR, Educational Support Services |
Confidential |
FERPA, HIPAA |
|
Student Loans |
Financial Aid |
Confidential |
FERPA, GLBA |
|
Student participation in officially recognized activities and sports; including special honors, distinctions, and awards |
RSR |
Public (Directory) |
FERPA |
|
Student Payroll |
Payroll |
Confidential |
FERPA |
|
Student SCC email address |
ITS |
Public (Directory) |
FERPA |
|
Student telephone number |
RSR |
Public (Directory) |
FERPA |
|
Student’s date and place of birth |
RSR |
Public (Directory) |
FERPA |
|
Student’s major |
RSR |
Public (Directory) |
FERPA |
|
Student’s name |
RSR |
Public (Directory) Unless name is linked to SSN, Driver License, or other personal identifying information |
FERPA, ORC 1345,1347,1349 |
|
Student’s recent previous educational institution |
RSR |
Public (Directory) |
FERPA |
|
Employee Tax details |
Payroll |
Confidential |
ORC 1345,1347,1349 |
|
Wage records (individual) |
Payroll |
Confidential |
ORC 1345,1347,1349 |
Definitions:
Confidentiality classification refers to the sensitivity and the access controls required to protect the information. Does legislation or College policy require the information be protected, or is it freely distributable? Is the information time sensitive? Will its confidentiality status change after some time? Confidentiality is defined in terms of:
a) Confidential: Access is restricted to a specific list of people. Examples include human resources/payroll data such as salaries, garnishment orders, child support orders, and employee health information. Stored credit card numbers are also confidential.
b) Sensitive Access and use of the information must be protected from routine disclosure and is restricted to specific uses only. This includes information required to be protected by legislation and/or generally recognized best practices. Examples include Social Security Numbers, Financial Aid Data, Student identity information (as defined by FERPA).
c) Public: Where the resources are publicly accessible: for example, directory information, the College Bulletin, the College Web Site, recruitment brochures.
Availability classification is a measure of criticality. How important is it that the information asset is accessible/available to the authorized constituent? Is it a single instance or is a backup available? Availability is measured based on reliability and timely access to the asset. In other words, is the system up and running when needed? How long can the asset be down or unavailable? For classification purposes, the availability hierarchy is:
1) Vital: The asset is essential to the College, even a brief outage is significant and may result in a serious negative impact, financial, legal, or otherwise, to Sinclair.
2) Critical: Necessary for routine operation of the College, must be available during normal working hours and/or during registration, reporting, or other business cycles. Brief outage other than during these periods is acceptable, outages during these periods are significant and result in serious negative impact.
3) Important: Significant to a small segment of the College such as a single department or committee. Should be available during normal working hours, outages of up to 24 hours do not significantly impact the College.
4) Routine: Has value to the college and should be routinely available, but extended outages (1-5 days) would not significantly impact Sinclair.
Integrity classification is seldom used for primary information classification, but may be used as a ‘tie-breaker’ when determining priority during business continuity and contingency planning. How important is it that the information is 100% accurate and can be verified as tamper-free? How critical is the accuracy of information to the College or stakeholder? Can it be duplicated or replaced? Integrity is defined in terms of value: high, medium or low. As this is often a subjective valuation, justification may be required for assigning a value classification if the rationale is not obvious or is questionable.
This table provides suggested classifications for Sinclair information. It is not authoritative and may be superseded by the data owners of the information. This table will be updated periodically.
