1. Purpose
This policy informs all University System of New Hampshire (USNH) community members of their responsibilities related to maintaining the privacy and security of institutional information. To effectively safeguard institutional information, the USNH community must have a shared understanding of what needs to be protected and what kind of protection is required for different types of institutional information.
To facilitate that shared understanding, this Policy establishes a model for the classification of institutional information that defines each classification and provides examples of the kind of information associated with each classification. This model shall be used by all USNH institutions to classify information. The classifications defined here form the foundation for any other policies or standards pertaining to the protection of information.
This policy and the related Information Handling Standards define the minimum requirements for each information classification tier.
2. Scope
This policy applies to all institutional information, regardless of storage format (e.g. data/digital, paper).
3. Audience
All USNH community members should understand this policy and how it applies to the institutional information they access and use.
4. Policy Statement
All USNH and component institution information shall be protected appropriately based on the classification of that information. Institutional information shall only be shared between, and released to, authorized parties when there is a need to know, and as necessary, to execute job-related duties in alignment with established information handling standards.
4.1 Classification Structure
To facilitate the development and communication of clear standards, processes, and procedures for implementing the appropriate security controls for each type of institutional information, the Information Classification Model is separated into distinct tiers. Each tier in the model encompasses specific types of institutional information which require that level of protection.
4.2 Tier 4 - Restricted Information
4.2.1 Information is restricted if protection is:
4.2.2 Additionally, information can be designated as Restricted by the data steward of that information.
4.2.3 If compromised or exposed, Restricted information could result in significant institutional cost, harm to institutional reputation, and/or unacceptable disruption of the institution’s ability to meet its mission.
4.2.4 Examples of Restricted Information
4.2.4.1 SSNs and other personally identifiable information as defined by state of NH reporting requirements
4.2.4.2 Electronic Protected Health Information (ePHI) or non-electronic Protected Health Information (PHI) as defined by HIPAA
4.2.4.3 Research information that contractually requires specific security or privacy controls
4.2.4.4 Information protected by PCI-DSS
4.2.4.5 Information protected by FMLA and GLBA
4.2.4.6 Information protected through "Affirmative Action" and/or "disability regulation"
4.2.4.7 Information technology infrastructure, design, security, and authentication stores
4.3 Tier 3 - Protected Information
4.3.1 Information is protected if privacy controls are required by regulation or law but required protections do not rise to the level of those mandated for Restricted Information.
4.3.2 If compromised or exposed, protected information may result in serious institutional cost, harm to institutional reputation, and/or unacceptable disruption of the institution’s ability to meet its mission.
4.3.3 Examples of Protected Information
4.3.3.1 Information protected by FERPA
4.3.3.2 Library information
4.3.3.3 Research information that requires protection by contract
4.4 Tier 2 - Sensitive Information
4.4.1 Information is sensitive if controlled access is required by institutional policy, by the data steward, by contract, for ethical reasons, and/or if it is at high risk of damage or inappropriate access.
4.4.2 It includes information which, if compromised, could result in high institutional cost, harm to clients, harm to institutional reputation or unacceptable disruption of the institution’s ability to meet its mission.
4.4.3 It includes other information explicitly identified as requiring controlled access, but that does not require the level of protection dictated in the higher tiers. Any institutional information that has not been designated as falling under another tier shall be considered sensitive.
4.4.4 Examples of Sensitive Information
4.4.4.1 Directory information as defined by the institution or by regulation
4.4.4.2 Intellectual property
4.4.4.3 Fundraising data
4.5 Tier 1 - Public Information
4.5.1 Information is public if it is explicitly identified as public by the data steward responsible for that information. It includes information that may be provided to anyone without any further oversight.
4.5.2 Examples of Public Information
4.5.2.1 Contact information of employees that is approved for publication in the public directory
4.5.2.2 Campus map that has been explicitly approved for public display
4.5.2.3 Academic calendar that has been explicitly approved for public display
4.6 Information Handling Requirements
4.6.1 With the input, oversight, and approval of the institutional data stewards, Cybersecurity & Networking shall be responsible for the development, publication, and maintenance of Standards defining the required security controls for each of the defined tiers.
4.6.2 Administrative, academic, and business units shall be responsible for the development and maintenance of clear and consistent information handling procedures, aligned with those Standards, in support of operations and business processes that involve the collection, access, use, processing, storage, or transmission of institutional information.
4.7 Clarification on Classification
4.7.1 While designated Data Stewards at each institution are responsible for determining the appropriate classification for the information under their stewardship, Cybersecurity & Networking is the central point of contact for questions about or clarification on the appropriate classification of a specific type of information or data element and for the required security controls for each classification.
5. Enforcement
Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).
Non-compliant technology and/or activities may be mitigated as deemed necessary by the Chief Information Officer and/or Chief Information Security Officer.
Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.
6. Exceptions
Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the USNH Cybersecurity Exception Standard.
7. Roles and Responsibilities
7.1 Administrative, Academic, and Business Units
7.1.1 Develop and maintain clear and consistent information handling procedures, aligned with the published Information Handling Standards, in support of operations and business processes that involve the collection, access, use, processing, storage, or transmission of institutional information.
7.2 Cybersecurity & Networking
7.2.1 Develop standards defining required security controls for each Classification Tier defined in this Policy.
7.2.2 Provide guidance to USNH community members on the Information Classification Model.
7.3 Data/Information Stewards
7.3.1 Determine the appropriate classification for each type of information under their purview.
7.4 USNH Community Members
7.4.1 Understand the classification of all institutional information with which they interact.
8. Definitions
See the ET&S Policy & Standard Glossary for full definitions of each term.
CONTACT INFORMATION
For USNH community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, and Compliance (GRC) via this Support Form.
All other requests can be submitted here: Submit an IT Question.