Southern Adventist University takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to Southern’s academic mission. For that reason, Southern has classified its information assets into the categories Unrestricted, Confidential and Restricted for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Southern expects all partners, consultants and vendors to abide by Southern's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Southern's information security policies.
All new information systems that store or process Restricted Data, should be assessed by the Information Technology Department.
These guidelines are intended to reflect the minimum level of care necessary for Southern's sensitive data. They do not relieve Southern or its employees, partners, consultants or vendors of further obligations that may be imposed by law, regulation or contract.
Definitions
Data Classifications
Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Classification.
Restricted Information | Confidential Information | Unrestricted Information | |
Information Classification Guideline | Information is classified as "Restricted" if protection of the information is required by law/regulation or Southern is required to self-report to the government and/or provide notice to the individual if information is inappropriately accessed If a file which would otherwise be considered to be Confidential contains any element of Restricted Information, the entire file is considered to be Restricted Information. | Information is classified as "Confidential" if (i) it is not considered to be Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the "Classification of Common Data Elements". | Information is classified as "Unrestricted" if it is not considered to be Restricted, or Confidential. |
Classification of Common Data Elements |
|
|
|
Access Protocol | Access limited to those permitted under law, regulation and SAU's policies, and with a need to know. | Access limited to those with a need to know, at the discretion of the data owner or custodian. | At the discretion of the data owner, anyone may be given access to Unrestricted information. However, care should always be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder. |
Transmission | NIST-approved encryption is required when transmitting information through an insecure network. Third party email services are not appropriate for transmitting Restricted information. Restricted numbers may be Masked instead of encrypted. | NIST-approved encryption is strongly recommended when transmitting information through a network. Third party email services are discouraged for transmitting Confidential information. | No encryption is required for Unrestricted information. |
Storage | Restricted on Computing Equipment unless approved by the SAU. If SAU approves, NIST-approved encryption is required on Computing Equipment. Restricted numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine. Third party processing or storage services are not appropriate for receiving or storing Restricted information unless approved by the SAU. | Encryption of Confidential information is strongly recommended. Level of required protection of Confidential information is either pursuant to SAU policy or at the discretion of the owner or custodian of the information. If appropriate level of protection is not known, check with the data owner before storing Confidential information unencrypted. Third party processing or storage services may receive or store Confidential data if SAU has a valid contract with the vendor that includes the standard clauses specified in the Security Requirements. | No encryption is required for Unrestricted information. Care should still be taken to protect the integrity of Unrestricted information. |
Unpublished Research and Intellectual Property Data
Published research data is considered public, and Southern is committed to openness in its research. Unpublished research data may need to be kept private. In those circumstances, unpublished research data is considered Confidential.
For purposes of data classification, a faculty member directing research is the data owner of the results of that research. As such, determining the level of protection necessary for unpublished research data is the prerogative of the faculty, taking into account any agreements such as the information security requirements of external research sponsors.
Southern members can invite other members, both within and outside the university to view Unrestricted data, co-edit documents, and use collaboration tools. It is the responsibility of each member to ensure appropriate sharing controls are used in order to protect intellectual property as well as prevent accidental or undesirable information sharing.
SAU Services
Please contact Information Technology for guidance before using a service to store, process, or transmit Restricted, or Confidential data as defined above, noting that Southern approval is needed in advance of handling Restricted data on anything other than Qualified Machines. Some of the services require additional components in order to qualify for the specified permitted data classifications.