Skip to content
[New School IT logo]

Standard for Information and System Classification

Introduction

Classification, in the context of information security, is the process of categorizing Institutional Information and IT Resources based on their sensitivity and criticality, and the potential impact to the university should their confidentiality, integrity, or availability be compromised. The process is typically driven by legal, regulatory, academic, financial, and operational requirements. An asset’s classification helps determine the baseline security controls that should be implemented to safeguard the asset.

Purpose

This standard establishes classification levels for Institutional Information and IT Resources based on their requirements for confidentiality and integrity (Protection Levels) and availability (Availability Levels). It also describes the steps that should be used by Application Owners and Data Owners to determine the appropriate classification levels for the Institutional Information and IT Resources they are responsible for.

Scope

This standard applies to all university Institutional Information and IT Resources, irrespective of whether they are maintained by The New School or a third party on the university’s behalf or whether they are accessed from on-campus or off-campus locations, and to any individual who accesses or in any way makes use of them, regardless of affiliation. This includes, but is not limited to, Workforce Members, students, and alumni.

Definitions

Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.

Requirements

Every Institutional Information asset and IT Resource must be assigned an appropriate Protection Level and Availability Level. Retention periods for Institutional Information datasets must also be determined.

Protection Levels

New School Institutional Information and IT Resources are assigned one of four Protection Levels based on the level of concern related to confidentiality and integrity. Level PL-4 requires a comprehensive set of security controls and Level PL-1 requires a minimal set of controls.

PL-4 – High

Institutional Information and related IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contractual obligations that (a) require specific security controls to be implemented or (b) require specific data elements to be protected are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to

  • New School students, research subjects, Workforce Members, guests/program participants;
  • The New School’s reputation related to a breach or compromise;
  • the overall operation of the university; or
  • essential services.

Examples (see the Protection Level Classification Guide for a more complete list):

PL-3 – Moderate

Institutional Information and related IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in small to moderate fines, penalties, regulatory action, or civil violations. Statutory, regulatory, and contractual obligations that (a) require non-specific (e.g., “commercially reasonable” or “industry standard”) security controls to be implemented or (b) require general categories of information to be protected without identifying specific data elements are drivers for this risk level. Most Institutional Information whose unauthorized disclosure or modification could

  • result in moderate harm to The New School, its students, research subjects, employees, community and/or reputation;
  • have a moderate impact on the privacy of an individual or group;
  • result in moderate financial loss; or
  • require legal action

should be classified at this level. This classification level also includes lower risk items that, when combined, represent increased risk.

Examples (see the Protection Level Classification Guide for a more complete list):

PL-2 – Low

Institutional Information and related IT Resources that may not be specifically protected by statute, regulation, or other contractual obligation or mandate, but are nevertheless generally not intended for public use or access. In addition, Institutional Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in minor harm or small financial loss, or have a minor impact on the privacy of an individual or group.

Examples (see the Protection Level Classification Guide for a more complete list):

  • Directory Information of students who have not filed a disclosure withholding request
  • Research using publicly available data
  • Routine business records and email that does not contain PL-3 or PL-4 information

PL-1 – Minimal

Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security controls is sufficient.

Examples (see the Protection Level Classification Guide for a more complete list):

  • Campus brochures and maps
  • Curricula vitae
  • Published research
  • Student policies and handbooks
  • University press releases
  • University websites

Availability Levels

New School Institutional Information and IT Resources are also assigned one of four Availability Levels based on the business impact their loss of availability or service would have on the university. Level AL-4 requires a comprehensive set of security controls and Level AL-1 requires a minimal set of controls.

AL-4 – High

Loss of availability would result in major impairment to the overall operation of the university and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory, and legal obligations are major drivers for this risk level, as are IT Resources that are required for the rest of the IT environment to function.

Examples (see the Availability Level Classification Guide for a more complete list):

  • Data center network routers / switches
  • Directory services (Active Directory, LDAP)
  • Internet connectivity
  • Single sign-on (CAS)
  • VMWare infrastructure
  • Wireless network controllers

AL-3 – Moderate

Loss of availability would result in moderate financial losses and/or reduced customer service. IT Resources that support the main, day-to-day academic and operational activities of the university.

Examples (see the Availability Level Classification Guide for a more complete list):

  • Building / floor network routers/switches
  • File servers supporting business operations
  • Finance and human resources management system (Workday)
  • Identity and access management
  • IT Central ticketing (Cherwell)
  • Student information system (Banner)
  • VoIP
  • Wireless network access points

AL-2 – Low

Loss of availability may cause minor losses or inefficiencies.

Examples (see the Availability Level Classification Guide for a more complete list):

  • Campus cards
  • Student printing

AL-1 – Minimal

Loss of availability poses minimal impact or financial losses.

Examples (see the Availability Level Classification Guide for a more complete list):

  • Office computers

Classifying Institutional Information

Data Owners are responsible for working with the Information Security and Privacy Office to determine appropriate classifications (Protection Level and Availability Level) for the Institutional Information datasets over which they have primary authority.

Step 1. Evaluate the Institutional Information

Data Owners must consider the following factors during the evaluation:

  1. Regulatory framework. Data Owners must ensure that their use of and protection plans for Institutional Information comply with applicable laws, regulations, policies, and standards. The Classification Guides outline the Protection Level and Availability Level classifications for many types of Institutional Information. For Institutional Information types not included in the guides, Data Owners should consult the Information Security and Privacy Office for guidance.
  2. Business impact of a loss of confidentiality, integrity or availability. Business impact can include any of the following: negative financial impact, damage to reputation related to a breach or compromise, potential for regulatory or legal action, loss of critical campus operations, required corrective actions and/or violation of university mission, policy, or principles. The Protection Level must be commensurate with the level of need for confidentiality, integrity, and availability of the Institutional Information.

    Example

    Research data and results may be intended to be public-facing and could thus be classified at PL-1 or PL-2. However, if the research requires a high level of accuracy and integrity, it may need to be classified at PL-3 or PL-4 to protect against alteration.

    Ransomware could encrypt the data or wiper-malware could erase the data, preventing its recovery. Research Institutional Information often requires a high Protection Level to ensure that years of work are adequately protected from damage or loss.

  3. Risk of harm to individuals. Data Owners must consider any potential harm or negative impact that the compromise of their data could have on the parties whose Personal Data is contained in the information asset. Anonymized and Pseudonymized data must also be reviewed to ensure legal, regulatory, and protocol requirements are met and to establish the risk of harm if the data is reidentified.

    Example

    The use case for many building automation and control systems involves physical health and safety. Data Owners must assign the Protection Level appropriately to protect the critical function(s) that these systems may perform.

  4. Required Availability Level. The use case for Institutional Information generally determines the Availability Level. Data Owners must consult the Availability Level Classification Guide or perform their own analysis to make this determination. Unlike Protection Level, Data Owners may choose to select a lower Availability Level than what is specified in the guide.

    Example

    During a large-scale emergency, computer systems containing Institutional Information may not be available for some time. However, the information contained in those systems, such as emergency contact information for students and employees, may still be needed. Data Owners must assign the Availability Level appropriately to ensure this information remains accessible.

  5. Access needs. The decision to grant access to Institutional Information must be based on the use case as well as applicable university policies. Data Owners must consider legal and regulatory obligations and consult the Information Security and Privacy Office or the Office of the General Counsel if they have any questions.

    Institutional Information cannot be re-shared. The Data Owner must approve all requests for access.

    Example

    Ricky asks Ethel for a set of Institutional Information. After considering the business need, Ethel grants Ricky access to the Institutional Information. Later, Lucy asks Ricky for access to the same Institutional Information. Ricky cannot grant access to Lucy. She must request access from Ethel, the Data Owner.

    If Institutional Information with higher Protection and/or Availability Levels also contains some lower-level information, the Institutional Information must be secured to meet the requirements of the highest classification.

  6. Data and system architecture. The type of data and where and how it is stored, processed, and accessed can change the Protection Level of some parts of its associated system. Combinations of data, particularly those that can identify an individual or group, may require higher Protection Levels according to laws, regulations, or The New School’s privacy principles. The Classification Guides Guides provide examples.

    Example

    Even after removing direct identifiers such as name, address, and Social Security Number from a database of personal information, the indirect identifiers (date of birth, zip code, gender, etc.) that remain may be used, in combination with information from other datasets (often publicly available online) to “re-identify” the individuals in the database.

    In one example, when a state agency released a database of de-identified records of state employees’ hospital visits, a researcher was skeptical of the governor’s assurances that the state had adequately protected patient privacy. By obtaining a copy of the voter registration database for the city where the governor lived, and using the fields the two databases had in common (zip code, date of birth, and gender), the researcher was able to link diagnoses, procedures, and medications to particularly named individuals. To make her point, the researcher sent a copy of the governor’s health records to his office.

  7. Use case change. The Protection Level and Availability Level must be reviewed and reclassified (adjusted) if necessary when a new feature, use case or data element is introduced.

    Example

    A purchased campus safety application adds a geolocation feature. Users can now opt in to have their location tracked so they can be found quickly in the event of an emergency. The new feature adds data that introduces an important privacy concern and warrants a Protection Level of PL-3 or PL-4.

Step 2. Select classification levels

  1. Once Data Owners have considered the above factors, they must select the classification level using the Classification Guides and the results of any analysis (e.g., risk assessments, Data Protection Impact Assessments, etc.) performed. If their specific data is not included in the guide, Data Owners should consult with the Information Security and Privacy Office.
  2. Data Owners may use the published Protection Level in the guide or raise it based on the specific use case, but they cannot lower it without obtaining written approval, in advance, for the exception from the Information Security and Privacy Office. However, Data Owners may raise or lower the Availability Level based on use case.
  3. Data Owners must document the classification in an appropriate repository or system of record.

    Tip

    Secured instances of inventory/asset management systems, departmental file shares, software version control systems, ticketing or work tracking systems, and document management systems generally serve as reliable systems of record.

  4. The university organizational unit receiving the Institutional Information must also record its classification in an appropriate repository or system of record for the unit if the system of record is not shared with the Data Owner.

Step 3. Set review and retention schedules

  1. Data Owners must consult the university’s Record Retention Policy and record the retention schedule for the Institutional Information stored on the IT Resource.
  2. Data Owners must work with the Information Security and Privacy Office to identify compensating controls and any other special issues, develop an implementation plan, and document the disposition.
  3. Data Owners must reclassify Institutional Information if the data, system, or use case changes.

Classifying IT Resources

Application Owners are responsible for working with the Information Security and Privacy Office to determine an appropriate security classification (Protection Level and Availability Level) for the IT Resources over which they have primary authority.

Step 1. Evaluate the IT Resource

Application Owners must consider the following factors during the evaluation:

  1. Institutional Information stored and processed. Application Owners must classify IT Resources based on the Institutional Information they create, store, process, and transmit.
  2. Required Availability Level. The use case for the IT Resource generally determines the Availability Level.
  3. Access to other systems. If the system is used to access another system, the higher of the two classification levels must be applied.

Step 2. Select classification levels

  1. Once Application Owners have considered the above factors, they must select the classification level using the Classification Guides and the results of any analysis (e.g., risk assessments, etc.) performed. If their specific data is not included in the guide, Application Owners should consult with the Information Security and Privacy Office.
  2. Application Owners may use the published Availability Level in the guide or choose another level based on the specific use case. Unlike Protection Level, Application Owners may select a lower Availability Level than the one specified in the guide.
  3. Application Owners must document the classification in an appropriate repository or system of record.

    Tip

    Secured instances of inventory/asset management systems, departmental file shares, software version control systems, ticketing or work tracking systems, and document management systems generally serve as reliable systems of record.

Step 3. Set review schedules

  1. Application Owners must reclassify IT Resources if the data, system, or use case changes.

References

Review

This standard is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.

Document history
Date Author Description
Jun 2020 D. Curry
  • Initial publication

Parts of this standard are adapted from the University of California’s classification framework, coordinated by Robert Smith, the contents of which are used with permission.