Data Classification and Handling Procedures Guide
This Procedures Guide for the University community was created to help you effectively manage information in your daily mission-related activities. Determining how to protect & handle information depends on a consideration of the information’s type, importance, and usage. These procedures outline the minimum level of protection necessary when performing certain activities, based on the classification of the information being handled. Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.
Information is classified as Level I, II, or III as defined in the Data Classification and Handling Policy based on the need for confidentiality and critical nature of that information.
NOTE: If any part or subset of the data requires more stringent controls or protections due to statutory, regulatory, and/or contractual obligation, and the data is not severable, then the highest or most stringent protection required for the subset of the data impacted shall govern the entire data set.
Although this Procedures Guide attempts to cover most situations at the University, it is not all-inclusive, and is not intended to represent all protections that may be necessary for each situation.
University employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of University data, information and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting University business (administrative, financial, education, research or service).
“Handling” information includes, but is not limited to, the following: creating, collecting, accessing, viewing, using, storing, transferring, mailing, managing, preserving, disposing, or destroying.
In order to safeguard information, these 9 procedures should be followed:
1. Determine How Much Protection your Information Needs
2. Collect Only What is Necessary
3. Provide Minimum Necessary Access
4. Disclose Only the Minimum Information Necessary
5. Safeguard Information in Transit
6. Secure Physical Equipment and Resources
7. Safeguard Information in Storage
1. Determine How Much Protection your Information Needs
The amount/type of protection to be applied to your information depends on an assessment of the need for the Confidentiality and/or critical nature of that information. The table below summarizes this process. For more detail regarding what types of information require Level I, II, or III Protection, refer to the Data Classification and Handling Policy, and Appendix 1: Data Classification Levels I, II and III.
How would you describe your information?
Is it Confidential? | Level I Protection | STOP! SPECIAL CARE IS REQUIRED |
Is there a high need for Integrity? | ||
Is there a high need for Availability? | ||
Is it Sensitive? | Level II Protection | BE VERY CAUTIOUS |
Is there a medium need for Integrity? | ||
Is there a medium need for Availability? | ||
Is it Public? | Level III Protection | PROCEED WITH AWARENESS |
Is there a low need for Integrity? | ||
Is there a low need for Availability? |
The rest of this Guide is organized so that you can see what protections are required or recommended for your information, based on the classification level you have determined.
2. Collect Only What is Necessary
Level I | Level II | Level III | |
A. Collect only the minimum required amount of data to fulfill institutional responsibilities. | Required | Required | Required |
B. Collect Social Security Numbers only as required to achieve necessary institutional purpose. | Required | Not Applicable | Not Applicable |
C. Retain full credit card numbers (electronically or on paper), only if written approval has been obtained from Financial Services, the E-commerce committee, and the IT Security Office.
|
Required | Not Applicable | Not Applicable |
3. Provide Minimum Necessary Access
Level I | Level II | Level III | |
A. Limit access to information to those with a legitimate interest (“need to know” or “need to do”) based on their institutional responsibilities. | Required | Required | Required |
B. Access or attempt to access only information required to fulfill your institutional responsibilities. | Required | Required | Required |
C. DO NOT log in for other people who are trying to access the computer system, e-mail system or other device. Never use anyone else’s login information. | Required | Required | Required |
D. Grant access only to those authorized by the data owner. | Required | Required | Recommended |
E. Use an authentication process to control access to non-public file systems.
|
Required | Required | Not Applicable |
F. Ensure all vendor access has been approved by the IT Security Office. | Required | Required | Required |
G. Track and review who has gained access by recording ALL access in a system log. At a minimum, successful and failed login events, successful and failed account management events, and successful and failed policy and system events should be logged. (The logs should be stored in a way that precludes system administrators from altering/deleting them. The logs will be reviewed for anomalies monthly.) | Required | Recommended | Recommended |
H. Information must be protected from unintended access by unauthorized users.
|
Required | Required | Recommended |
I. Respect the confidentiality and privacy of individuals whose records are accessed by observing ethical restrictions that apply to the information accessed and by abiding by all applicable laws and policies with respect to accessing, using, or disclosing information. At a minimum:
|
Required | Required | Required |
J. Revoke or modify access rights and privileges to information for any individual with new or different responsibilities.
|
Required | Required | Not Applicable |
K. Establish a periodic review (at a minimum quarterly) of user accounts including the related access rights and privileges for employees in your unit and modify those rights when appropriate.
|
Required | Required | Not Applicable |
L. Restrict servers to a single primary function. | Required | Recommended | Recommended |
M. Disable or remove unused services, applications, ports, and user accounts. | Required | Recommended | Recommended |
N. Physically secure access to operating systems, servers, and network equipment by placing them in areas that allow access to be restricted. | Required | Required | Recommended |
O. Secure portable devices and portable media devices when unattended (e.g., laptop, PDA, smartphone, etc., and CD’s, DVD’s, floppy disks, USB/Flash/Thumb drives, etc.). | Required | Required | Recommended |
P. Secure backup media from unauthorized physical access. | Required | Required | Recommended |
Q. Ensure system setup is done in an environment that is only accessible to authorized administrators. | Required | Required | Recommended |
R. All systems shall use only the below KU-approved network and system login banner: “Access to electronic resources at the University of Kansas is restricted to employees, students, or individuals authorized by the University or its affiliates. Use of this system is subject to all policies and procedures set forth by the University in the Policy Library. Unauthorized use is prohibited and may result in administrative or legal action. The University may monitor the use of this system for purposes related to security management, system operations, and intellectual property compliance.” |
Required | Required | Recommended |
4. Disclose Only the Minimum Necessary Information
Level I | Level II | Level III | |
A. Do not discuss or display information in an environment where it may be viewed or overheard by unauthorized individuals. | Required | Required | Recommended |
B. Limit a disclosure to the amount of information reasonably necessary to achieve the purpose of the disclosure. | Required | Required | Required |
C. Disclose information only when necessary and only to the extent that such disclosure is consistent with University policy and permitted or required by law. | Required | Required | Recommended |
D. Ensure the Office of the General Counsel reviews all subpoenas, search warrants, or other court orders prior to release of information. | Required | Required | Required |
E. Refer requests for information from media representatives (i.e., reporters, TV news crews, etc.) to the Office of University Relations. | Required | Required | Required |
F. Report immediately any potential or suspected breach or compromise of, or unauthorized / unexplained access to University information (electronic or paper) to the Information Technology Customer Service Center (785-864-8080).
|
Required | Required | Required |
5. Safeguard Information in Transit
Level I | Level II | Level III | |
A. Use secure methods of transmission when sending any Private, Confidential, or Sensitive data.
|
Required | Required | Recommended |
B. Encrypt email when sending Private, Confidential, or Sensitive information, even to other authorized users. The encryption method and key storage method must be approved by IT Security.
|
Required | Required | Recommended |
C. Send faxes only when the intended recipient is present.
|
Required | Required | Recommended |
D. Ensure information (including device(s) containing information) is physically secure at all times when carrying or hand-delivering it to a new location. | Required | Required | Recommended |
E. Remove information from secure locations only with prior approval. | Required | Required | Recommended |
F. Access information remotely using only secure methods approved by the KU IT Security Office.
|
Required | Required | Recommended |
G. Accessing or transferring Private Information (Confidential or Sensitive information) using on-campus wireless connections is NEVER appropriate, unless the wireless network is encrypted and it has been approved by the KU IT Security Office. | Required | Required | Not Applicable |
H. Accessing and transporting Social Security Numbers via a portable device is NOT appropriate. | Required | Not Applicable | Not Applicable |
6. Secure Physical Equipment and Resources
Level I | Level II | Level III | |
A. Actively “lock” your workstation when you are away from your desk; do not just wait for the screen saver feature to self-activate. | Required | Strongly Recommended | Strongly Recommended |
B. Use “strong” passwords that are not easily guessed. Ensure that computer monitors are situated in a manner that login screens cannot be observed by passersby. Any passwords written down should be securely stored. Detailed requirements in regards to password strength and password changes can be found in the KU Password Policy. | Required | Required | Required |
C. Place devices that can be used to print information in secure locations. | Required | Required | Recommended |
D. Use a variety of methods to help prevent information compromise.
|
Required | Required | Required |
E. Physical protection from theft, loss, or damage must be utilized for mobile devices that can be easily moved such as a PDA, thumb drive, or laptop.
|
Required | Required | Recommended |
F. When evaluating new software or appliances, request a security review of the proposed items by the IT Security Office BEFORE purchasing or installing.
|
Required | Strongly Recommended | Strongly Recommended |
G. When making a change to a service, system, or business process, consider whether any currently functioning security measures will be disrupted. All changes or modifications to the standard architecture shall be documented along with any justifications. | Required | Required | Recommended |
H. Conduct regular system backups. Backups help ensure the availability of data necessary to fulfill University responsibilities in the case of device failure, disaster or theft.
|
Required | Strongly Recommended | Strongly Recommended |
I. Immediately contact the local area public safety department if there is a theft of any computer, electronic storage media, portable or personal device containing or that has been used to process University information.
|
Required | Required | Required |
7. Safeguard Information in Storage
Level I | Level II | Level III | |
A. Employ physical protection for all devices (electronic and non-electronic) used to store data.
|
Required | Required | Recommended |
B. Store Confidential or Sensitive Information in a separate location when possible. | Required | Required | Not Applicable |
C. Always encrypt Confidential and Sensitive Information prior to storage. Encrypting data helps ensure that if an access control is bypassed, the information is still not readily available. A standard and published encryption standard should be used. The encryption method and key strength level must be approved by IT Security.
|
Required | Required | Recommended |
D. Securely store information.
|
Required | Required | Recommended |
E. Store data on systems that support access control (as described in Section 3 of this policy). | Required | Required | Recommended |
F. Retain Social Security numbers only when required (by a “business-related” purpose) and ONLY in an encrypted file or truncated to last 4 digits.
|
Required | Not Applicable | Not Applicable |
G. Store credit card numbers (electronically or on paper) ONLY with written approval from Financial Services, the E-commerce committee, and the IT Security Office.
|
Required | Not Applicable | Not Applicable |
8. Dispose of Information Securely When No Longer Needed
Level I | Level II | Level III | |
A. When retention requirements have been met, records must be either immediately destroyed or placed in secure locations as described in this section for controlled destruction.
|
Required | Required | Required |
B. Review, purge and shred printed documents regularly (in accordance with published destruction schedules).
|
Required | Required | Not Applicable |
C. Ensure complete destruction of information on electronic storage media, computers, and portable devices prior to disposal/recycling. Refer to the Electronic Data Disposal Policy and Procedure and the Data Removal from KU-Owned Computers procedure from the KU IT Security Office.
|
Required | Required | Not Applicable |
9. Stay Informed About Information Risks
Level I | Level II | Level III | |
A. Ensure attendance at information awareness training provided by the University.
|
Required | Required | Required |
Exceptions to this Procedure shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Vice Provost for Information Technology. Exceptions to this Procedure shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Vice Provost for Information Technology.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Office of the Chief Information Officer
1001 Sunnyside Avenue
Lawrence, KS 66045
785-864-4999
kucio@ku.edu
Whole disk encryption: for encrypting all data stored on a computer disk volume or partition.
Private Information: an overarching term used to indicate all Confidential and Sensitive information as defined below. Private Information includes all information protected by state and/or federal law or that the University is contractually obligated to protect. Private Information also includes information designated by the University as Private (Confidential or Sensitive) through the creation of standards, procedures and guidelines. Access to these data must be tightly monitored.
Confidential Information: a subset of Private Information that includes information protected by state and/or federal law and information that the university is contractually obligated to protect. \The mishandling of Confidential Information may impact the University through financial and legal sanctions, loss of public confidence, and damage to the University’s reputation. Examples of Confidential Information include Social Security numbers, bank account information, BPC account numbers, healthcare records, educational records, and risk assessments that highlight potential weaknesses in the University’s utility/service infrastructure.
Sensitive Information: a subset of Private Information that includes non-public information (other than Confidential Information) that may cause harm to the University or to individuals if inappropriately used or disclosed. This category includes, for example, research data with commercial or societal value, and individual works of intellectual property.
Public Information: includes information developed for public access. If this information is disclosed, there is no risk of damage to the University’s reputation.Some examples include:
- Publicly accessible web pages
- Campus maps
- University application forms and brochures
01/26/2022: Updated contact section.
04/16/2021: Updated references from Comptroller to Financial Services.
06/02/2017: Fixed broken link.
11/04/2014: Policy formatting cleanup (e.g., bolding, spacing).
06/11/2009: Updated to reflect Legislative Post Audit requirements.