15.41 – Data Classification

PART 1:  PURPOSE

This rule is adopted consistent with direction from the NMSU Board of Regents, applicable laws and regulations and other university policies and operational guidelines under the authority of the university’s Data Governance Board:

1. To provide uniform guidance for the NMSU system relating to data classification, upon which the baseline security controls for each type of Institutional Data (Data) is predicated;
2. To authorize the issuance and publication of data classification standards and operational guidelines and protocols by which Data Custodians and Data Users will access, secure, use, modify, maintain and disclose Institutional Data;
3. To act in accordance with state and federal laws and regulations, grant and contract terms and conditions, privacy considerations and other legal obligations (e.g. protection of proprietary data);
4. To regulate the sharing of Data within and outside the university, subject to the necessary safeguards;
5. To provide guidance for potential and actual data breaches, in accordance with the requirements for each category of data governed by distinct requirements and procedures for reporting in the event of inappropriate disclosure (e.g. data breach thresholds).

PART 2:  DEFINITIONS

Defined terms are capitalized to denote that they are defined for purposes of this rule.

1. Controlled Data: Data specifically categorized by federal statute, executive order, or regulation as important to the nation’s interest or government operations, or Data categorized as proprietary through grant, contract or non-disclosure agreements. (See Part 3D. below)
2. Data: See Institutional Data, below.
3. Data Categories: Four types of Institutional Data, subject to different standards of security and procedures for access, security, use, modification, maintenance, disclosure and data breach response. (See Part 3 below)
4. Data Custodian: An employee who has operational responsibility for the management of any of the systems that serve as sources of Institutional Data.
5. Data Steward: An employee, typically a supervisor, designated by the relevant Data Trustee to oversee access and management of a particular subset of Institutional Data.
6. Data Trustee: A senior administrator with significant responsibility for a major operational area, who utilizes systems and applications serving as authoritative sources of Data. (See Appendix ARP 15.40 – A for list of major operational areas).
7. Data User: NMSU employees or agents whose job duties require access to Institutional Data.
8. Institutional Data: Institutional Data (or “Data”) refers to the university’s information resources and administrative records in any form, including but not limited to print, electronic, or audio-visual. Examples include:
   1. Data created, acquired and/or maintained by university employees through official job duties;
   2. Data created or updated using a university computer system;
   3. Data relevant to research, planning, managing, operating, or auditing;
   4. Data included in official university administrative reports and records;
   5. Data within the university’s control, including records that the university may not possess, but are governed by laws and regulations to which the university is held accountable.
   6. Data that pertains to, or supports, the administration and mission of the university.
9. Internal Data: Data not protected by state or federal law or regulatory standards, but which if disclosed, poses a reputational risk or may result in a civil action against the institution. (See Part 3. B. below)
10. Public Data: Data that does not fall into the Internal Data, Regulated Data or Controlled Data types. (See Part 3. A. below)
11. Regulated Data: Data  regulated by law or contract that is not Controlled Data, and if exposed to unauthorized parties, poses a risk of harm to third parties or risk of harm to NMSU interests (e.g. reputational) or exposes the university to potential liability. (See Part 3. C. below)

PART 3: DATA CLASSIFICATION RULES

Institutional Data falls into one of four distinct categories: 1) Public Data; 2) Internal Data; 3) Regulated Data; and 4) Controlled Data. These four Data Categories represent the best foundational structure to manage and protect all Institutional Data.

1. Category 1- Public Data: Public Data is considered to be any data that does not fall into the Internal Data, Regulated Data or Controlled Data types. The disclosure of Public Data does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access.  Data integrity is the basic safeguard for which the University is responsible to ensure data is not modified. There are no restrictions on the storage or distribution of Public Data. Standards and operational protocols relating to the safeguards, handling, sharing and disposal requirements for Public Data are posted at Data Governance for the NMSU System. Examples of Public Data include:
   1. 1. 1. Public Web Sites
         2. Marketing Materials
         3. Business Addresses
         4. Salary Information
2. Category 2: Internal Data: Internal Data is Data not protected by state or federal law or regulatory standards, but which if disclosed may pose a reputational risk or result in a civil action against the institution. Access to Internal Data should be limited to Trustees, Data Stewards and NMSU employee(s) with a business need.  The exposure threshold for this classification of data is set at 750 records.  Standards and operational protocols relating to the safeguards, handling, sharing and disposal requirements for Internal Data are posted at Data Governance for the NMSU System. Examples of Internal Data include:
   1. 1. Account Credentials
      2. Budget Information
      3. Unclassified Research and Manuscripts
      4. Payroll and Employment Documentation
      5. Systems & Network Diagrams
      6. Strategic Information Unique to NMSU
3. Category 3: Regulated Data: Regulated Data is Data that is not Controlled Data and is regulated by law or contract or, if exposed to unauthorized parties, poses a risk of harm to third parties or risk of harm to NMSU interests (e.g. reputational) or exposes the university to potential liability. The threshold for exposure of this category of data is set at one record and the exposure of 500 records of Health Information requires notification to the media. Associated protected personally identifying data elements (e.g. name, date of birth, email address, telephone number, mother’s maiden name, employment history) that reasonably could identify an individual when used in combination with Internal Data elements, may be treated as Regulated Data. When assessing data, each data set must be analyzed to determine if any given combination poses a risk.  Additional standards and operational protocols relating to the safeguards, handling, sharing and disposal requirements for Regulated Data are posted at Data Governance for the NMSU System.  Examples of Regulated Data include:
   1. 1. 1. Social Security Number
         2. Driver’s License ID Number
         3. Passport ID Number
         4. Tax ID Number
         5. Health Information
         6. Class Schedules
         7. Course History
         8. Academic Actions
         9. Grades, GPA and Transcripts
         10. Payment Card Data
         11. Bank Account numbers
4. Category 4: Controlled Data: Controlled Data is specifically categorized by federal statute, executive order, or regulation as important to the nation’s interest or government operations, or Data categorized as proprietary through grant, contract or non-disclosure agreements. Data access and handling requirements are restricted to those with a need-to-know, with appropriate adherence to applicable law and interpreting regulations, grant or contract provisions and university policies, standards and operational guidelines. Unauthorized disclosure of this information could have a serious adverse impact on the country, university, individuals or affiliates.  Consultation and approval from Research Administration and IT security teams is required prior to holding or processing this type of Data. Additional approvals from other university authorities may also be required.  Regulations, laws and standards that affect data in Category 4 include, but are not limited to, the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.), the Export Administration Regulations (15 CFR 730 et seq.) and the Federal Information Security Management Act (FISMA). Controlled Unclassified Information (Executive Order 13556).  Safeguards, handling, sharing and disposal requirements for Controlled data are codified in the Controlled data processing standards.  Standards and operational protocols relating to the safeguards, handling, sharing and disposal requirements for Controlled Data are posted at Data Governance for the NMSU System. Examples of Controlled Data include:

1. 1. Export Controlled Data: Information or technology deemed to be sensitive to national security or economic interests and subject to federal export control regulations as promulgated by the U.S. Departments of State and Commerce.  Export Controlled Data may be subject to restrictions that exceed the requirements for Category 4 data.
   2. National Security Interest (NSI): NSI data has been classified by a third party as having the potential to impact national security. Individuals managing or accessing NSI data must comply with all Level 4 requirements, National Security Decision Directives, any other applicable Federal Government directives and all information security procedures specified by the source agency.
   3. Controlled Unclassified Information (CUI): Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified for national security purposes under Executive Order 13526.  Data that is identified as CUI in a contract or agreement is subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  Personnel receiving or generating CUI should work with the appropriate NMSU official such as Research IT, Chief Privacy Officer, Chief Information Security Officer, or Export Control Manager to ensure compliance with grant or contract information security requirements.
   4. Classified Information: Classified Information is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies for national security purposes. The NMSU Facility Security Officer (FSO) is the official authorized to receive classified information on behalf of NMSU to ensure its proper safeguarding.

PART 4: ROLES AND RESPONSIBILITIES

1. Issuance of Standards and Operational Protocols: Consistent with guidance from the Data Governance Board, the Chief Information Security Officer and Chief Privacy and  IT Compliance Officer, in collaboration with the Data Trustees and Data Stewards, and in coordination with the university’s Chief Information Officer (CIO) are charged with issuance and publication of the university’s classification standards and operational protocols.  In the development of these standards and operational protocols for each Data Category, they will refer to the National Institute of Standards and Technology (NIST) publications on securing technology as guidance.
   1. Each Data Category will have a corresponding set of standards and operational protocols establishing the appropriate data security and compliance requirements and procedures, and prescribing specific controls and safeguards that reflect the data protection requirements of the institution.
   2. Each Data Category standard must provide a defined methodology by which the Data Trustees and others as appropriate will assess the level of risk presented by the Data to determine the probability and extent of harm that would occur should the Data be lost, stolen, or accessed by unauthorized parties. At a minimum, it should take into account the data sensitivity, value, criticality and provisions of applicable governing regulation(s).
   3. Each Data Category standard must, at a minimum, designate departmental responsibilities for implementing appropriate training and managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of Data in compliance with this, related policies, and applicable governing regulation(s).
   4. Each Data Category must contain defined clear thresholds that constitute a data breach as well as breach and incident response requirements if any, based on the circumstances of the data exposure. Data exposure below defined breach thresholds, while a security incident and a concern, may not constitute a violation of this rule.
2. Application of the Standards and Operational Protocols: Once Data is created or acquired by the university, each Data Steward is responsible for assigning Data into the appropriate Data Category.  The Data Steward may change the assigned Data Category based on regulatory and institutional requirements.
3. Shared Data Stewardship: Data with shared stewardship responsibility requires joint classification by the responsible Data Stewards. Data classification impasses will be resolved by the responsible Data Trustees and ultimately the president with input from the relevant Data officials, Chief Information Security Officer and Chief Privacy and IT Compliance Officer.
4. Protection of Data Pending Classification: Data not yet classified into a Data Category must be secured in accordance with the stricter standard until determined by the relevant Data Steward(s).

PART 5: PERIODIC MONITORING AND REVIEW

To promote adherence to this rule by all NMSU entities, NMSU may take reasonable and necessary action to assess Data security and to monitor compliance efforts.  The Offices of the President, IT Privacy and Compliance or the Chief Information Officer may authorize NMSU staff or consultants to utilize IT auditing technologies to scan IT systems, including the NMSU network, servers, databases, applications, cloud storage, and other computing devices.  This provision does not limit nor affect the authority of the university’s Office of Audit Services to conduct independent internal audits.

1. The IT auditing technologies to be used may include programs and utilities that allow for programmatic inspection of Data access, security, use, modification, maintenance and disclosure permissions.
2. The results from automated scans may be centrally correlated for analysis in a secure environment. These technologies are not to be used to read the full context of the Data, but rather to match established Data use patterns.
3. Information gathered through periodic auditing will maintained confidentially, to the extent permitted by law.