202: Information Systems – Classification Standards
Information Security Manual
Section 200: Information Systems Security
The purpose of this section is to provide guidance and standards regarding the classification of Institutional Information. Institutional Information is defined as all information created, collected, maintained, recorded, or managed by the University, its staff, and all agents working on its behalf. It is essential that Institutional Information be protected. There are, however, gradations that require different levels of security and accurate classification provides the basis to apply an appropriate level of security to OSU’s Information Systems. It is the Records Custodian’s responsibility to review Institutional Information periodically and classify each according to its use, sensitivity, and importance and to implement appropriate security requirements.
Information Classifications: Protected, Sensitive, and Unrestricted
Protected Information is information for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Personally identifiable information, financial records, and student records are examples of Institutional Information in this class. This information is protected by statutes, rules, regulations, University policies, and/or contractual language. The highest levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use.
Protected Information must be protected from unauthorized access, modification, transmission, storage, or other use. Protected Information should be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University is generally not permitted and must be authorized by the appropriate supervisory personnel. Employees may be required to sign non-disclosure agreements before access to Protected Information is granted.
Sensitive Information is information that would not necessarily expose the University to loss if disclosed, but that the Records Custodian feels should be guarded against unauthorized access or modification due to proprietary, ethical, or privacy considerations. High or moderate levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use. This classification applies even though there may not be a statute, rule, regulation, University policy, or contractual language prohibiting its release.
Sensitive Information must be protected from unauthorized access, modification, transmission, storage or other use. Sensitive Information is generally available to members of the University community who have a legitimate purpose for accessing such information. Disclosure to parties outside of the University should be authorized by the appropriate supervisory personnel.
Unrestricted Information, while subject to University disclosure rules, may be made available to members of the University community and to individuals and entities external to the University. In some cases, general public access to Unrestricted Information is required by law.
While the requirements for protection of Unrestricted Information are considerably less than for Protected or Sensitive Information, sufficient protection will be applied to prevent unauthorized modification of such information.
This section applies to all Institutional Information and all systems, processes, and data sets that may access this information, regardless of the environment where the data resides or is processed; for example the University mainframe enterprise server, other enterprise servers, distributed departmental servers, or personal workstations and mobile devices. All information with a designated Records Custodian must meet the same classification level and utilize the same protective measures as prescribed by the Records Custodian for the central systems.
This policy applies regardless of the media on which data resides, for example electronic, microfiche, paper, CD\DVD, or other media. It also applies regardless of the form the information may take, for example text, graphics, video or audio, or their presentation. University units may have additional policies for information within their areas of operational or administrative control. In the event these local policies conflict with University Policy, University Policy applies.
This section applies to all University community members, whether students, faculty, staff, volunteers, contractors, affiliates, or agents, who have access to University Information Systems and to all University units and their agents including external third-party relationships.