Information Classification
Information classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control. Michigan Tech has established a framework for classifying and handling data based on its level of sensitivity, value, and criticality. All data needs to be classified into one of three sensitivity levels, or classifications which are referred to as Confidential, Internal, and Public.
-
Level 1: Confidential
- Confidential information is information whose unauthorized disclosure, compromise or destruction would result in severe damage to Michigan Tech, its students, or employees (e.g., social security numbers, dates of birth, medical records, credit card or bank account information). Level 1 data is intended solely for use within Michigan Tech and limited to those with a “business need-to-know”.
-
Level 2: Internal or Private
- Internal use information must be guarded due to proprietary, ethical, or privacy considerations. Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss or damage to Michigan Tech’s reputation, or could violate an individual’s privacy rights (e.g., educational student records, employment history, university donor home mailing). Internal use information is information intended for use by Michigan Tech employees, contractors, and vendors covered by a non-disclosure agreement.
-
Level 3: Public
- This is information that is regarded as publicly available. These data values are either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on and off campus (e.g., an employee’s work email addresses), or not specifically classified elsewhere in the protected data classification standard. Knowledge of this information does not expose Michigan Tech to financial loss, or jeopardize the security of Michigan Tech’s assets. Publicly available data may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure data in order to organize it according to its risk of loss or harm from disclosure.
All University data will be reviewed on a periodic basis and classified according to its use, sensitivity and importance to the University and in compliance with federal and/or state laws. The level of security required depends in part on the effect that unauthorized access or disclosure of those data values would have on university operations, functions, image or reputation, assets, or the privacy of individual members of the University community.