4-04.2 Procedures - Information Security Policy

Data Classification and Protection

Data assets are some of the most valuable assets owned by Greenville Technical College (GTC). GTC produces, collects, and uses many different types of data in fulfilling its mission. Federal and State laws and institutional policy mandate privacy and protection of certain types of data, and the college's need to manage the risk and protection of this information. Classifying data is the first step in determining the data's need for protection.

  1. Data Classification
Data is classified in terms of several factors such as the need for protection of sensitive data and the need for availability. GTC classifications are used to manage data protection and availability. All data can be classified into one of four categories which best describes its level of protection. The four categories are Public, Internal, Confidential, and Restricted data.
  1. Public Data - Data can be disclosed without restriction. Examples - directories, maps, course syllabi, course catalog, mission statement, and other general information related to the college.
  2. Internal Data - Confidentiality of data is preferred, but information contained in data may be subject to open records disclosure. Examples - budget plans, email correspondence, internal committee meeting minutes, etc.
  3. Confidential Data - sensitive confidential information in use by GTC. If confidential information is inappropriately altered, or is subject to unauthorized access, use or disclosure, considerable loss could occur. Examples - Information security plans and Personally Identifiable Information (PII) information such as: SSN, bank account information, and driver's license number.
  4. Restricted Data - Protection of information is mandated by Law (FERPA, HIPAA, PCI/DSS).

 

  1. Confidential and Restricted Data Access Protocols
  1. All access or use of Confidential or Restricted data should be granted on a least-privilege access, and should only be used internally within the job responsibilities and duties.
  2. Any need to move or send confidential or restricted data outside of GTC should be reviewed and approved in writing by OIT.
  3. If data needs to be transported in any way outside of GTC environment for approved reasons this data will need to be encrypted to protect the level of this data.
  4. Any Confidential or Restricted data should not be moved to external sources such as One Drive or other external cloud storage systems for individual or group use.
  5. All new systems, interfaces or services should be reviewed to address encryption needs of data.
  6. All new requests for credit card processing must be reviewed by the PCI/DSS committee to ensure all the standards and requirements for any ecommerce transactions are in place before any transactions can occur. Request for new service can be made using the OIT Help ticket process. Any request will be sent to the PCI/DSS committee for review and if approved, implementation.