Skip to Main Content

ITS News and Information

News and information from Information Technology Services

Organizational Security and Data Classification

Information Technology Services – Dr. Baz Abouelenein, Chief Information Officer
Last Revised: 3/8/17
Title: Organizational Security and Data Classification Policy
Applicable: Wofford College Staff and Faculty
Contacts: IT Help Center ext. 4357

Background: Wofford College employees handle personal and confidential information protected by laws and contractual requirements. In order to better protect the safety and confidentiality of the College’s information resources, the College needs a policy outlining the types of protected information, and allocating roles and responsibilities for securing that information.

Policy: All Wofford faculty and staff are responsible for maintaining appropriate security and confidentiality for the College’s information. All members of the campus community must comply with College information policies and applicable laws regarding information security and confidentiality. The College will allocate security roles and responsibilities for classifying data, establish training programs, and perform periodic security audits to ensure compliance.
 

Guidelines

  1. The College allocates information security roles and responsibilities as follows:
  1. The Chief Information Officer is responsible for establishing service levels and directing the implementation of appropriate security policies and procedures to protect the College’s information resources.
  2. A manager with responsibility for entering, updating, and maintaining a portion of the College’s information functions as a Data Steward. Data Stewards authorize access to their information, and ensure its accuracy and quality. Data Stewards also ensure that the data processors they supervise are adequately trained. Examples of Wofford Data Stewards include: the Registrar, the Dean of Libraries, the Director of Admission, the Director of Financial Aid, the Director of Advancement Operations, the Director of the Wellness Center, the Assistant Dean of Students for Residence Life, the Controller, the Director of Human Resources, and other managers responsible for entering, updating, and maintaining their assigned College information.
  3. Data Processors are authorized by data stewards to enter, modify, or delete data. Data Processors are responsible for, and accountable for, the completeness, accuracy, and timeliness of the data assigned to them.
  4. A Data User is any College employee, contractor, affiliate, or duly authorized member of the community who can access internal and/or highly sensitive College data, but does not modify or delete that data. For the purposes of the responsibilities outlined in this policy, Data Users include all who have the capacity to access College data. All Data Users, whether they are Data Stewards, Service Owners, or Processors, are responsible for the security and privacy of the data they access, and are responsible for reporting any data compromises.
  1. Data required to conduct the operations of the College are classified into three categories: public use data, internal use only data, and highly sensitive data.
  • “Public Use” data is information intended for general public use. An example is the College's on-line directory.
  •  “Internal-Use-Only” data is information not generally made available to parties outside the Wofford College community. An example is minutes from confidential meetings. These are considered internal use only data and should not be routinely disclosed. This information may be released to parties outside the Wofford College community, but such requests must be reviewed by the appropriate Data Steward. Unauthorized distribution of this data to external sources is an abuse of privileged information.
  • “Highly Sensitive” data is information defined as such in contracts and/or specified in laws as information that must be protected. Among the types of data included in the category are individual financial records, social security numbers, credit card information, proprietary data, and data protected by law or international agreement.
  1. The College provides employees with access to College data to conduct College business. Internal-Use-Only and Highly Sensitive data will only be made available to employees with genuine need for it. This may include data collected from students, faculty, staff, contractors, members of the community, or those with no affiliation with the College. Employees accessing such data must observe privacy and confidentiality requirements, comply with protection and control procedures, and accurately present data used in reports. Departments with stewardship responsibility for portions of Internal-Use-Only and Highly Sensitive College data must establish internal controls to ensure that College policies are enforced. All data users are responsible for the security and privacy of the data they access.
     
  2. The College forbids the disclosure of Internal-Use-Only data and/or Highly Sensitive data in any medium except as approved in advance by a Data Steward. The College prohibits the use of any Internal-Use-Only or Highly Sensitive College data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity. Each data user is responsible for the consequence of any misuse of College data.
     
  3. Should a security breach occur, ITS will investigate and decide whether to refer the matter to law enforcement authorities through Campus Safety. The Director for Human Resources will review matters involving College staff. The Provost will review matters involving faculty. The Dean of Students reviews matters involving students. College Counsel will review matters involving individuals not affiliated with the College.
     
  4. All individuals accessing Wofford College information must comply with federal and state laws, and College policies and procedures, regarding the security of Highly Sensitive data. Any individual with access to College data who engages in unauthorized use, disclosure, alteration, or destruction of data will be subject to disciplinary action, including possible dismissal and/or legal action.
     
  5. In cooperation with department managers, ITS will work with the Director of Risk Management on a security awareness and training program for all members of the College community.