Child pages
  • Classification of Data Table

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Class I: Critical Information

...

Information legally classified as breach notifiable and where Lehigh University is required to self-report to the government and/or provide notice to the individual if the information is inappropriately accessed.

Data of this type includes, but is not limited to, all data identified by law, specifically, Pennsylvania Statute 73 Pa. Stat. § 2301 et seq. as well as other applicable state statutes1, Payment Card Industry Data Security Standard (PCI DSS), and specific combinations of individual financial records (Gramm-Leach_Bliley Act), health care records (Health Insurance Portability and Accountability Act of 1996 (HIPAA)).

...

Information regulated or restricted by federal and/or state regulatory or legal requirements, contractual requirements, or University policy. Data of this type includes, but is not limited to, student records (Family Educational Rights and Privacy Act (FERPA)), financial records (Gramm-Leach_Bliley Act), health care records (Health Insurance Portability and Accountability Act of 1996 (HIPAA)), International Traffic in Arms Regulations (ITAR)3, Export Administration Regulations (EAR)3, Red Flags Rule, Children's Online Privacy Protection Act (COPPA), employment records, legal records, and certain business records.

...

Examples
of Data Elements within Specific Classification Levels

...

  • Social Security Numbers
  • Credit Card Numbers
  • Driver license number or state identification card number issued in lieu of a driver license
  • Account number or credit card number or debit card number in combination with any required security verification code2, access code or password that would permit access to an individual's financial account.
  • Passport ID Numbers and Other forms of Official Government Issued Identification
  • Health Care Information, including Protected Health Information (PHI)
  • A username or email address, in combination with an unencrypted password, biometric identifier, or security question and answer that would allow unauthorized access to an online account.

  • Lehigh Identification Number (LIN) in combination with Personal Identification Number (PIN).

...

NIST-approved encryption methods are required when transmitting information through a network. Prohibited data shall not be sent by email unless it is sent using an institution-approved method.

 

...

Prohibited information shall not be stored on any of the following media or devices:

  • non-Lehigh owned or personal devices
  • external media, including flash drives, cell phones, or any other external forms of storage (excluding University Data Center disaster recovery backups)

Prohibited data shall be encrypted if utilized or stored on any end point device or local system and that data should strictly be used for short-term processing and not for long-term storage.

Prohibited data should be stored only on NIST-encrypted or other qualified University-owned hosts, and in accordance with the Lehigh University Records Management and Retention Policy.

 

.

Restricted/Regulated information shall be stored in accordance with the following:

  • Any computers containing this type of data must be encrypted utilizing whole-disk encryption as should any system with web access to this type of data as cache files may be present.
  • Any storage of this type of information in a cloud environment must be in an approved Lehigh University approved Cloud storage solution.

Any of this type of data stored on flash drives, cell phones, or any other external form of storage (including backups), must be in an encrypted form.

...

Institutional Confidential/Proprietary information shall be stored in accordance with the following:

  • It is strongly recommended that any computers containing this type of data be encrypted utilizing whole-disk encryption as should any system with web access to this type of data as cache files may be present.
  • Any storage of this type of information in a cloud environment must be in an approved Lehigh University approved Cloud storage solution.

...

1NCSL Security Breach Notification Laws by State.

Pennsylvania Office of Administration Information Technology IT Security Incident Reporting Policy (PDF)

2Per PCI-DSS, card verification code or value, aka  CVV, CAV, CID, CVC, CID, should never be stored.

3Additional restrictions apply to this type of data. It must be stored within the United States and cannot be shared with those located in other countries. It is up to the data owner to determine whether any export controlled data may be shared with someone or transported to a particular country. Guidance can be found at the US Department of Commerce Control List site at: http://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl

 

 See https://oirsa.lehigh.edu/classification-data