Child pages
  • Classification of Data Table
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

 Prohibited InformationRestricted/Regulated InformationInstitutional Confidential/Proprietary InformationPublic/Unrestricted Information
Description

Information legally classified as breach notifiable and where Lehigh University is required to self-report to the government and/or provide notice to the individual if the information is inappropriately accessed.

Data of this type includes, but is not limited to, all data identified by Pennsylvania Statute 2301 as well as other applicable state statutes, Payment Card Industry Data Security Standard (PCI DSS), and specific combinations of individual financial records (GLBA), health care records (HIPAA)

Information regulated or restricted by federal and/or state regulatory or legal requirements, contractual requirements, or University policy. Data of this type includes, but is not limited to, student records (FERPA), financial records (GLBA), health care records (HIPAA), International Traffic in Arms Regulations (ITAR), Export Administration Regulations, Red Flags Rule, Children's Online Privacy Protection Act (COPPA), employment records, legal records, and certain business records.

Information at the Institutional/Proprietary level must be protected due to privacy, ethical, or proprietary constraints. Data of this type includes, but is not limited to, intellectual property and any data or documents that are not intended for public access or distribution.Data at the Public/Unrestricted level is protected at the discretion of the department or the data owner. Data of this type includes, but is not limited to, all documents slated for public distribution, directory information as per FERPA, and any departmental data not deemed to be at a higher level of sensitivity (i.e., not meant for public consumption, but not necessarily important enough to warrant encryption).
Specific Classification Level of Lehigh University Data Attributes
  • Social Security Numbers
  • Credit Card Numbers
  • Driver license number or state identification card number issued in lieu of a driver license
  • Account number or credit card number or debit card number in combination with any required security code2, access
  • Passport and visa numbers
  • Health Care Information, including Protected Health Information (PHI)
  • A user name or email address, in combination with a password, biometric identifier, or security question and answer that would permit access to an online account.

  • Lehigh Identification Number (PIN) in combination with Personal Identification Number (PIN).
  • Student grades, attendance, and performance records
  • Human Subjects Information
  • Information gathered of children under the age of 13
  • Employment applications
  • Employee information, including personnel files, benefits information, salary, conflict of interest filings, birth date, and personal contact information
  • Privileged attorney-client communications
  • Internal policy records
  • Export controlled information under U.S.laws
  • Emergency and disaster recovery/incident response plans



  • Lehigh Identification Numbers (LIN)
  • Departmental data
  • Lehigh internal memos
  • Internal reports
  • Class rosters
  • Marketing and forecasting reports
  • Email distribution lists
  • Source code
  • Building diagrams and blueprints 
  • Donor information
  • Vendor non-disclosure agreements
  • Personal information that can be used to verify identity such as birth dates, mother's maiden name, photographs


  • Lehigh published articles and newsletters
  • Student achievements and accolades
AccessAccess limited to those permitted under law, regulation and Lehigh University policies, and with a job-specific need and required training. External release of this type of information is only through executive management or through subpoena or warrant. Unauthorized release of this type of data could result in termination from University employment.Access limited to those permitted under law, regulation and Lehigh University policies, and with a specific need to know. External release of this type of information is only through executive management or through subpoena or warrant. Unauthorized release of this type of data could result in termination from University employment.Only those individuals who have been approved for access by the data steward or custodian based on need to know. Public or external requests to release this type of information is only through management or through subpoena or warrant. Unauthorized release of this type of data could result in disciplinary action.Access to all data not meant for public consumption is at the discretion of the department or data owner.
Transmission

NIST-approved encryption is required when transmitting information through a network. Prohibited data shall not be sent by email unless it is sent using an institution-approved method.

 

NIST-approved encryption is required when transmitting information through a network. Restricted data shall not be sent by email unless it is sent using an institution-approved method. NIST-approved encryption is strongly recommended when transmitting information through a network. Institutional Confidential/Proprietary information sent by email should follow the institution guidelines.No encryption is required for public/unrestricted information.
Storage

Prohibited information shall not be stored on any of the following media or devices:

  • non-Lehigh owned or personal devices
  • external media, including flash drives, cell phones, or any other external forms of storage (excluding University Data Center disaster recovery backups)

Prohibited data shall be encrypted if utilized or stored on any end point device or local system and that data should strictly be used for short-term processing and not for long-term storage.

Prohibited data should be stored only on NIST-encrypted or other qualified University-owned hosts, and in accordance with the Lehigh University Records Management and Retention Policy.

 


.


Restricted/Regulated information shall be stored in accordance with the following:

  • Any computers containing this type of data must be encrypted utilizing whole-disk encryption as should any system with web access to this type of data as cache files may be present.
  • Any storage of this type of information in a cloud environment must be in an approved Lehigh University approved Cloud storage solution.

Any of this type of data stored on flash drives, cell phones, or any other external form of storage (including backups), must be in an encrypted form.

Long-term or archival storage of restricted/regulated data should be on NIST-encrypted or other qualified University-owned hosts, and in accordance with the Lehigh University Records Management and Retention Policy.


Institutional Confidential/Proprietary information shall be stored in accordance with the following:

  • It is strongly recommended that any computers containing this type of data be encrypted utilizing whole-disk encryption as should any system with web access to this type of data as cache files may be present.
  • Any storage of this type of information in a cloud environment must be in an approved Lehigh University approved Cloud storage solution.

It is strongly recommended that this type of data stored on flash drives, cell phones, or any other external form of storage (including backups), be in an encrypted form.

Long-term or archival storage of institutional confidential/proprietary data should be on qualified University-owned or Cloud services hosts, and in accordance with the Lehigh University Records Management and Retention Policy.


Long-term or archival storage of Lehigh University public/unrestricted data should be on qualified University-owned or Cloud services hosts, and in accordance with the Lehigh University Records Management and Retention Policy.
     

1Based on Pennsylvania Statute 2301 as well as other applicable state statutes.

2Per PCI-DSS, card security code, aka CVV, should never be stored.

 

 

  • No labels