Data Classification and Security Operating Procedure 530.01

Johnson County Community College
Series: 500 Information Services
Section: Data Classification and Security

Cross-Reference: Data Classification and Security Policy 530.00

In accordance with the Data Classification and Security Policy, JCCC Information Services (IS) has established this Operating Procedure to define College Data classifications and establish roles and responsibilities for handling College Data.

  1. Data Classification Definitions: All College Data should be classified into one of the following three data classifications which are determined based on the level of sensitivity and impact to the College of unauthorized handling, use and disclosure.
    • Restricted Data – This data is highly sensitive organizational, employee and student data that is protected by statutes, regulations, contractual agreements or policies. If Restricted Data is disclosed without proper authorization or stored without proper access controls, the College may face significant financial or legal risk, such as violation of federal and state privacy laws resulting in administrative or civil action, or other consequences, such as loss of revenue, negative publicity and decreased morale or public confidence.
    • Sensitive Data – This data is relevant to internal operations and not readily available to the public. Access to Sensitive Data may be guarded due to privacy or ethical reasons. Upon appropriate request, it will be released in a controlled and lawful manner. In general, if College Data is not classified as Restricted or Public, it will default to this classification.
    • Public Data – This data may be freely disclosed and available to the public as its disclosure poses little to no risk to the College.
  2.  Roles and Responsibilities:
    • Data Owner – Data Owners are responsible for all College Data supporting the operations overseen by their position. Data Owners approve guidelines for the proper use of College Data and may delegate the interpretation and implementation of those guidelines to appropriate personnel.
    • Data Custodian – Data Custodians are responsible for overseeing the interpretation, implementation and compliance of policies, guidelines and access related to College Data. This role will typically be occupied by the same individual that serves as the Data Custodian for College record retention purposes.
    • Data User – Data Users are responsible for complying with policies and guidelines established by the Data Owner when handling College Data. For example, College Data is to be used, stored and secured by the Data User as set forth in the guidelines established by the Data Owner and overseen by the Data Custodian.
    • IT Security Officer – The IT Security Officer is responsible for evaluating and reviewing cloud-based services and other proposed storage options for alignment with Data Classification standards and appropriate use.  
  3. Storage and Security of College Data: IS provides access to a number of options for storage of College Data by employees and third party contractors. Guidelines regarding appropriate storage locations for each College Data classification will be administered by IS. IS will be responsible for evaluating and reviewing cloud-based services and other proposed storage options for alignment with Data Classification guidelines. To ensure the College has access to College Data and the ability to mitigate the risk of loss or damage, College Data must be stored in locations owned, controlled or licensed by the College, and not solely in personal storage or third party storage locations, except in limited approved circumstances.
  4. Exceptions: Exceptions to this Operating Procedure may be approved by the Vice President over Information Services.

 Signature on File in Policy Office

President


Date of Adoption: 10/13/2016
Revised: