UMES Data Classification Policy
A red classification is given to any files that contain personally identifiable information (PII), or protected health information (PHI). This includes any files that contain SSN, DOB, driver’s license number, credit card or financial information, and any other data that can be considered confidential under the current PII standards as outlines by NIST 800-122 and industry standards such as HIPAA and PCI-DSS. Files with this classification may not be shared unless permission has been granted by the IT Security Officer and the related departmental data steward. All transmittal must be done using an encrypted channel.
A yellow classification is appropriate for files that contain business sensitive information, but does not contain any personally identifiable information (PII). Examples may include University internal memos, University sponsored research findings, or internal statistics and reports. Files with a yellow classification can be shared internally within the campus, but will require approval from the Department head to share to any non-UMES entity.
Level 1 .
A green classification is appropriate for files that contain information that is publically disclosed or is allowed to be disclosed to the public and any other party. Examples such as Campus announcements, public statements, and recruitment materials may fall into the green category. Files with a green classification do not require special handling and can be freely disseminated to any party
IT security officer
Date: August 16, 2018
Cabinet approval pending. 12/13/18