Data Classification Policy

Policy Category	Policy Owner	Version Effective Date	Review Cycle	Policy 91ֱ��
X. Info. Gov., Security & Technology	SVP & General Counsel	May 24, 2023	Every 4 years	Data Privacy Officer

Purpose
The 91ֱ�� of Maryland Global Campus ("91ֱ��") maintains a vast amount of Information to support its administrative and educational activities. Data Classification plays a critical role in the 91ֱ��'s comprehensive approach to maintaining the Confidentiality, Integrity, Availability and/or Privacy of its Data. This Policy describes the roles, responsibilities, and procedures for classifying Data and for implementing and complying with the prescribed Data security measures.
Scope
This Policy applies to all 91ֱ�� business operations across all 91ֱ�� divisions and departments. This Policy applies to all 91ֱ�� Employees, as well as contractors, consultants, temporary employees, and other third parties performing duties on behalf of the 91ֱ��. This Policy applies to all Information and Data processed by the 91ֱ�� and all Information Resources.
Definitions
Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
Data Management
1. All Data Processed by the 91ֱ��'s Information Resources is the property of the 91ֱ��, to the extent permitted by law or contract.
2. The 91ֱ�� shall designate Data Stewards. The Information Governance Team, established by UMGC Policy X-1.01 Information Governance, shall maintain a record of Data Steward designations.
3. When an Information Resource(s) is purchased or renewed, the Information System Steward is responsible for ensuring that the relevant Data Steward(s) is(are) notified in order for the Data Steward to carry out their responsibilities as provided herein.
4. Data should only be Processed by the 91ֱ�� to satisfy a legitimate business purpose and in a legal manner.
5. Adequate controls must be in place to protect the Confidentiality, Integrity, and Availability of Data commensurate to its Data Classification.
6. UMGC's Information Governance Team is responsible for overseeing compliance with 91ֱ�� System of Maryland (USM) IT Security Standards, and applicable federal, state, and local laws regarding Data Classification.
Data Classification
1. Data Stewards are responsible for ensuring Data Classifications are assigned appropriately to each type of Data they oversee and that a record of those classifications is maintained.
2. Data Stewards are responsible for ensuring that the assigned Data Classifications are provided to applicable Information System Steward(s) and Technical System Lead(s) upon initial designation.
3. After initial Data Classifications are assigned, Data Stewards may change the Data Classification for particular Data as needed. Data Stewards are responsible for ensuring that the updated classifications are provided to the applicable Information System Steward(s) and Technical System Lead(s) in a timely manner.
4. The Information System Steward and Technical System Lead shall oversee the implementation of appropriate controls commensurate with the Data Classifications within the particular Information Resource.
5. Data Stewards shall assign Data Classifications to Data based on the risk associated with improper disclosure for the particular type of Data as follows:
  1. High Risk Data
    1. 91ֱ�� Data that (i) could be exploited for criminal or nefarious purposes; (ii) the 91ֱ�� is obligated by state or federal statute or regulation to keep confidential; (iii) the 91ֱ�� is contractually obligated to keep confidential, or (iv) are critical to the 91ֱ��'s operational performance and cannot be easily replaced. The loss of Confidentiality, Integrity, or Availability of such Data would cause severe harm to individuals or the 91ֱ�� operations, safety, finances and/or reputation if disclosed.
    2. Trade secrets, inventions, mask works, ideas, processes, research, formulas, source and object codes, Data, programs, other works of authorship, know-how, improvements, discoveries, developments, designs, techniques, and any other proprietary technology that is owned by the 91ֱ�� by law, policy or contract;
    3. Business and financial information or trade secrets received from a third party, which is subject to a duty on the 91ֱ��'s part to maintain the confidentiality of such information; and
    4. Records pertaining to the 91ֱ��'s competitive position with respect to educational services, including but not limited to records addressing fees, tuition, charges, and supporting information held by the 91ֱ�� (other than fees published in catalogs and ordinarily charged to students), proposals for the provision of educational services other than those generated, received or negotiated with its students, and research, analysis, or plans relating to the 91ֱ��'s operations or proposed operations.
    5. Examples of such Data include, but are not limited to:
      1. PII
      2. Biometric Data
      3. Education records
      4. Medical records
      5. Financial information
      6. Controlled Unclassified Information (CUI)
      7. Confidential information about 91ֱ�� donors
      8. Databases used for tax, health care, payroll
      9. 91ֱ��-associated Account username(s) in combination with password(s)
  2. Moderate Risk Data
    1. 91ֱ�� Data that are not available to the public. The loss of the Confidentiality, Integrity, or Availability would cause limited harm to individuals or the 91ֱ��'s operations, safety, finances, and/or reputation. Data that were created or received primarily for use by the 91ֱ�� or its Employees, Contractors, vendors, consultants, volunteers, students, alumni, donors, agents, or representatives for the 91ֱ��'s legitimate business purposes and can reasonably be expected to be secured from public view.
    2. By default, all 91ֱ�� Data that are not explicitly classified as High Risk Data or Low Risk Data shall be classified as Moderate Risk Data.
    3. Examples of such Data include, but are not limited to:
      1. 91ֱ�� research not considered High Risk
      2. Non-public reports, budgets, operation plans
  3. Low Risk Data
    1. 91ֱ�� Data that contain any Information that is already available to the general public or is required by law, policies, procedures, contract or otherwise to be made available to the general public with no legal restrictions on its access or use. The loss of the confidentiality, integrity, or availability would cause little to no harm to individuals or the 91ֱ��'s operations, safety, finances, or reputation.
    2. Examples of such Data include, but are not limited to:
      1. Information found on the 91ֱ��'s publicly facing website
      2. 91ֱ�� published marketing collateral
6. Combination of Data
  1. If a set of Data contains multiple types of Data with different Data Classifications, Data Stewards are responsible for ensuring that at least the highest Data Classification that was applied to a particular Data element within that Data set is assigned to the entire Data set.
  2. If a set of Data contains multiple types of Data with the same Data Classifications, Data Stewards are responsible for ensuring that a determination is made whether the Data set requires a higher level of Data Classification and if so, shall ensure that the higher classification is assigned accordingly.
Yearly Review
1. Data Stewards shall validate all applicable Data Classifications with the relevant Information System Steward(s) and Technical System Lead(s), in conjunction with the Data Protection Officer, as needed, or at least yearly, and update as necessary.
Enforcement
1. Any Employee, Contractor, or third-party performing duties on behalf of the 91ֱ�� with knowledge of an alleged violation of this Policy shall notify the Office of Human Resources as soon as practical.
2. Data Stewards, in consultation with the Office of Human Resources, may instruct Information System Stewards and Technical System Leads to take down and remove content that violates this Policy as well as confiscate or temporarily suspend or terminate the use of Information Resource.
3. Employees or Contractors who violate this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
Effective Date: This policy is effective as of the Version Effective Date set forth above.

91ֱ��

UMGC Policy X-1.02 Data Classification

EXPLORE MORE OF UMGC

EXPLORE MORE OF UMGC