Skip to main content

Data Classification and Security Operating Procedure 530.01

Data Classification and Security Operating Procedure 530.01
Johnson County Community College
Series: 500 Information Services
Section: Data Classification and Security

Cross-Reference: Data Classification and Security Policy 530.00

Applicability: This Operating Procedure applies to all Johnson County Community College (“JCCC” or the “College”) employees and third-party service providers creating, accessing, storing, transmitting, or maintaining College Data.

Purpose: The purpose of this Operating Procedure is to establish the data classification framework for College Data, and to establish roles and responsibilities for handling and securing College Data to manage risk appropriately across data types and systems and ensure that the College remains in compliance with legal, regulatory, contractual, accreditation, and institutional policy requirements.

Procedures:

The College is the owner of all College Data, which is classified pursuant to this Operating Procedure. College Data may only be used in compliance with the Use of Technology and Communications Systems Operating Procedure 510.01 and other College policies and procedures. Regardless of role, users may access only the minimum data necessary for legitimate College purposes. Roles assigned under this Operating Procedure do not confer data ownership but define responsibility for classification and management.

I. Data Classification Levels

All College Data is classified into the following data classifications, which are determined by the appropriate data steward or designee based on the level of sensitivity and impact to the College of unauthorized handling, use, or disclosure. If data sets or documents with College Data belong to more than one classification, the most restrictive classification will apply. Some College Data may be further classified or defined as required by applicable laws, regulations, or contractual obligations. If these impose stricter controls, such requirements take precedence.

A. Level 4 - Restricted Data

Restricted data is highly sensitive and includes all organizational, employee, and student data that is protected by statutes, regulations, contractual agreements, or policies. If restricted data is disclosed without proper authorization or stored without proper access controls, it will result in significant operational, financial, legal, or reputational harm, including violation of federal and state privacy laws resulting in administrative or civil action, or other consequences. Restricted data must be handled with special care at all times.

Examples of restricted data include but are not limited to:

  1. Data protected by laws such as the Family Educational Rights and Privacy Act (“FERPA”) (education records) and the Gramm-Leach-Bliley Act (“GLBA”) (consumer information)
  2. Authentication credentials including passwords, PINs, and tokens
  3. Data protected by attorney/client privilege
  4. Personnel records
  5. Any data that is restricted by law or contract

B. Level 3 - Sensitive Data

Sensitive data is not intended for public disclosure. Its unauthorized access may create operational, reputational, or compliance risk, and therefore, any release may only occur in a controlled and lawful manner following appropriate authorization pursuant to this Operating Procedure. In general, if College Data is not classified as restricted, internal, or public, it will default to this classification.

Examples of sensitive data include but are not limited to:

  1. Internal HR data
  2. Grants and contracts that are not restricted
  3. System security information and procedures that are not restricted
  4. Security incident information that is not restricted

C. Level 2 - Internal Data

Internal data is not intended for public release, but its unauthorized disclosure would be unlikely to create operational, reputational, or compliance risk.

Examples of internal data include but are not limited to:

  1. Meeting notes, routine business documents, and internal memoranda that are not restricted or sensitive
  2. Working drafts not containing restricted or sensitive data
  3. Unpublished research or early-stage planning records

D. Level 1 - Public Data

Public data is often already available in the public domain or its disclosure is either beneficial or poses minimal risk.

Examples of public data include but are not limited to:

  1. Public webpages and weblogs (blogs)
  2. Annual reports and other College publications
  3. Press releases and marketing materials
  4. Course catalogs
  5. Campus maps

II. Roles and Responsibilities

All JCCC employees and third-party service providers covered by this Operating Procedure are responsible for understanding the value of College Data and its classifications and managing College Data in a manner consistent with the criticality of and the requirements for confidentiality associated with the data in any form (electronic, documentary, audio, video, etc.) throughout the entire information life cycle (from creation through preservation or disposal). Certain individuals may have additional responsibilities as set forth below, which may be designated, as appropriate.

A. Executive Sponsors

Executive sponsors are generally members of Cabinet who oversee major institutional data domains.

Responsibilities include but are not limited to:

  1. Providing strategic oversight for data quality, security, and compliance
  2. Determining classification of level 3 and level 4 data
  3. Ensuring the availability and use of resources to support the secure management of designated data domains
  4. Supporting data stewards and data custodians in proper handling practices

B. Data Stewards

Data stewards are designated by the appropriate executive sponsor, and are responsible for classifying data within their area of oversight and establishing secure handling requirements.

Responsibilities include but are not limited to:

  1. Interpreting data elements, business rules, and classification levels
  2. Approving data access, sharing, and exception requires for level 2, level 3, and level 4 data
  3. Ensuring accuracy, quality, and compliance of data across systems
  4. Collaborating with custodians to ensure technical safeguards align with policy requirements
  5. Serving as the individual that serves as the Records Custodian for College records retention purposes.

C. Data Custodian (System Owners or Technical Leads)

Data custodians are technical administrators who are responsible for implementing and maintaining system controls that protect College Data.

Responsibilities include but are not limited to:

  1. Applying controls defined by the data steward for each classification level
  2. Ensuring encryption, secure configuration, backups, logging, and access controls (including SaaS or cloud environments) are appropriately performed
  3. Maintaining system integrity, availability, and protective monitoring
  4. Promptly reporting issues affecting data security to the IT security team

D. Data User (all other authorized users)

Data users are faculty, staff, students, affiliates, or third-party service providers who access College Data for legitimate College purposes in compliance with the Use of Technology and Communication Systems Operating Procedure 510.01 and other College policies and procedures.

Responsibilities include but are not limited to:

  1. Complying with all handling, sharing, storage, and transmission requirements
  2. Reporting suspected misuse or unauthorized access immediately to the IT security team
  3. Completing required training on information security and responsible data use

E. Information Technology (“IT”) Security Officer

The IT security officer and designated staff provide a centralized security framework, institutional standards, and protective oversight of digital College Data.

Responsibilities include but are not limited to:

  1. Maintaining College-wide information security standards for digital data handling controls
  2. Supporting data custodians with secure system implementation
  3. Advising executive sponsors, data stewards, and data custodians on compliance obligations and risk
  4. Performing protective monitoring and ensuring adherence to security policies
  5. Leading incident response and risk mitigation efforts for digital data breach and coordinating with College stakeholders, as appropriate, such as those responsible for risk, compliance, or legal guidance as well as those responsible for student- or employee-specific College populations who may be impacted

III. Retention and Disclosure of College Data

A. Sharing and Disclosure

College Data may be shared internally with persons who have a legitimate business need for the data, in accordance with this Operating Procedure and internal procedures adopted by relevant departments. External sharing of level 3 and level 4 data requires review for legal compliance and approval of the data steward and executive sponsor. College business agreements that include data sharing must require appropriate safeguards for the protection of College Data.

B. Retention and Disposal

College Data must be retained in accordance with College Records Retention Schedules and all applicable legal requirements. Data custodians will configure College information systems to automate retention and deletion in accordance with College Records Retention Schedules and all applicable legal requirements.

JCCC Information Services will provide options for storage of digital College Data by employees and third-party service providers. JCCC Information Services will administer guidelines regarding appropriate storage locations for each College Data classification, and will be responsible for evaluating and reviewing cloud-based services and other proposed storage options for alignment with data classification requirements. To ensure the College has access to College Data and the ability to mitigate the risk of loss or damage, College Data must be stored in locations owned, controlled or licensed by the College, and not in personal storage or third-party storage locations.

IV. Departmental Procedures

Departments that routinely share or exchange College Data are encouraged to maintain internal procedures consistent with this Operating Procedure to ensure appropriate authorization and handling of College Data.

V. Exceptions

Exceptions to this Operating Procedure must be approved by the appropriate data steward and the Vice President of Information Services or designee.

Signature on File in Policy Office

President

Date of Adoption: 10/13/2016
Revised: 04/18/2019, 03/12/2026