Purpose
FIU’s Data stored in electronical form are vital assets and should be protected as such. FIU has established a Data Classification guideline to assist departments and IT administrators in providing the necessary security controls required for data security. This guideline exists in addition to all other university policies and federal and state regulations governing the protection of the university’s data. Three data classifications were established and a set of security standards are delineated to protect the confidentiality, integrity and availability of information.
Scope and Authority
This standard applies to all FIU faculty, staff, students and any other external individuals (e.g. contractors, vendors and consultants) who contracted into a business agreement with FIU. Florida International University’s IT Security Office is responsible for the oversite and, where applicable, the enforcement of any regulations that may apply to a data classification.
Roles and Responsibilities
Departments storing data classified as “Level 3 – Confidential Data” must designate a “Data Owner” for their department and this must be documented in the “List of Data Owners”. This list shall be maintained by the IT Security Office. The Data Owner may be a division head, director, manager or equivalent. The Data Owner is responsible for the department’s use of the data and must enforce DoIT security controls listed in this policy. Information previously categorized as “Highly Sensitive Data”, will now be classified as level 3, Confidential Data, unless an exception is made by the IT Security Officer. Further information on the “Highly Sensitive Data” can be found in FIU’s Data Stewardship policy.
Compliance and Enforcement
Any individual or department found in non-compliance with this policy will be given an immediate mandate to take corrective action. Failure to remediate inappropriate handling of FIU data, in a time frame set forth by the FIU Chief Information Security Officer, will result in disciplinary action as per FIU’s Acceptable Use Policy.
Classification and Security Requirements
Data classification establishes a criteria for data identity. These classifications drive the security controls that will be applied to the data. By creating actionable data security and controls around FIUs data, the Division of Information Technology will be able to assist departments take the steps necessary for protecting the university's intellectual assets, as well as data entrusted to FIU for business use. FIU's data classification places data in one of 3 levels. Level 3 being the highest level of sensitivity, thus requiring the highest level of security controls. Level 1 being the lowest level of sensitivity, requiring less stringent controls.
Data classification needs to be considered when sharing information with Artificial Intelligence models and storing on any media including removable media. No level 2 or 3 data should be submitted to publicly available AI models as stated in the AI guidelines.
Level 3 – Confidential Data
Confidential Data is applied to highly sensitive data and is intended for use only by authorized individuals. Data in this classification is regulated by legal standards and inappropriate use or disclosure could result in monetary fines to FIU.
The highest level of security controls must be applied to his classification.
Regulations that fall under this category include FERPA, GLBA, PCI, HIPAA, CUI and GDPR.
Level 3, Confidential Data Examples:
- Health Information, including protected health information (PHI)
- Social Security numbers
- Credit Card Numbers
- Data of birth
- Personal vehicle information
- User account passwords
- Fingerprints
- Export Control Information
- Passport and visa numbers
- Financial account numbers
- Driver's license numbers
- Donor contact information and non-public gift information
- Health Insurance policy ID numbers
- Controlled Unclassified Information
- Student records, Exam records, and Financial data
Level 2 – Internal/Private Data
Internal/Private data is assigned to data with a moderate sensitivity, and unauthorized disclosure of the data could result in a negative impact on the university. Data that is not categorized as Confidential or Public will be treated as Internal/Private data and normal security controls should be applied.
Level 2, Internal/Private Data Examples
- Admissions applications
- Panther ID's
- Network designs and operational information regarding FIU's Infrastructure.
- Unpublished research data (with data owner's approval)
- Employee names
- Employee salary information
- Employee performance information
- Internal memos and email
Level 1 – Public Data
Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the University and its affiliates. While minimal controls are explicitly required to protect the confidentiality of Public data, security controls are equally important to ensure the availability and integrity of the data. The impact on the institution should Level I - Public data not be available is typically low (inconvenient but not a threat to business continuity). This data is publicly available and does not have a requirement for confidentiality, integrity or availability.
Level 1, Public Data Examples:
- Job postings
- University directory Information
- Information in the public domain
- Publicly available campus maps
- Published research publications and data
- Information on FIUs websites without authentication requirements
Based on the Data Classification Level the following Data Security Controls will vary. The following table of security controls must be implemented unless a control is waived and documented by the IT Security Office.