Need more help?
See the Quick Start Digital Tools for Students page
Contact the ITS Service Center:
Tracker
ITS.ServiceCenter@fredonia.edu
(716) 673-3407
W203 Thompson Hall
https://www.fredonia.edu/its/service-center
Contents
SUMMARY
The State University of New York at Fredonia ("Fredonia") is committed to the confidentiality, integrity, and availability of information important to the University’s mission. All University data must be classified into one of three categories described in this policy and protected using the appropriate security measures consistent with the minimum standards for the classification category as described in related information/data security policies.
POLICY
Fredonia has classified its physical and electronic data into three risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it. This policy facilitates applying the appropriate security controls to university data, and assists data owners in determining the level of security required to protect data on the systems for which they are responsible.
Please note that the following Data Risk Classification Categories and Risk from Disclosure levels use the Federal Information Processing Standards (FIPS) 199. The Minimum Security Standards use the NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations.
DATA IS CLASSIFIED INTO THREE CATEGORIES
Data Risk Classification Category | Category 3 - Restricted |
Minimum Security Standard | 800-53 High |
Risk from Disclosure | High |
Definition |
|
Examples |
|
Data Risk Classification Category | Category 2 - Private |
Minimum Security Standard | 800-53 Moderate |
Risk from Disclosure | Moderate |
Definition |
|
Examples |
|
Data Risk Classification Category | Category 1 - Public |
Minimum Security Standard | 800-53 Low |
Risk from Disclosure | Low |
Definition |
|
Examples |
|
All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification, data owners, trustees, custodians, and users are required to implement the appropriate minimum security standards set forth by the Information Security Committee for protecting the data. The standard for protecting the data becomes more stringent as the risk from disclosure increases.
Compliance with the Data Risk Classification Policy and the corresponding minimum security standards should be incorporated into business processes to ensure data is properly secured. Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to respective minimum security standards.
SCOPE
This policy applies to all members of the university community, as well as to 3rd parties who handle university data.
CONTACT INFORMATION
Office of Information Technology Services and Finance and Administration, Maytum Hall, Fredonia, NY, 14063.
AUTHORITY
The authority for the policy comes from the Associate Vice President of Information Technology & Chief Information Officer and Vice President of Finance and Administration.
APPROVAL
This policy was approved by the President’s Cabinet on 9/20/2017.