Guidelines on Information Classification
For the purposes of this guideline, University information is defined as all information content related to the business of Eastern Illinois University that exists in electronic, digital or hard copy format. University information includes but is not limited to text, spreadsheets, databases, audio, video, photographs and graphics. University information does not include scholarly works and other intellectual property for which the author owns the copyright; in these cases, the author is responsible for determining the level of security and privacy required for the work.
University Information
Different sets of University information require different levels of controls and not all data require the same level of protections. Treating all information in the same manner can introduce risk (i.e. treating Confidential information in the same manner as Public information) or can waste University resources (i.e. treating Public information in the same manner as Confidential information). The controls in place around University information and information resources must be in line with the sensitivity level of the information itself to help ensure adequate protection from unwanted events as well as maintain responsible use of University resources.
University information can be broken down into three different classifications, based on the sensitivity of the information and the level of harm to the individual and the University should this information be exposed. The following guidelines are intended to help the University community identity and classify data into the proper categories to help determine the levels of protection needed.
Public
Any information that is either generally available to the public through other sources, or information for which the disclosure to any party does not pose a threat to the University or an individual, is considered "Public" information. Public information requires the least amount of security controls, but still requires some restrictions to protect against unauthorized and/or unwanted modifications. Examples of Public information include press releases, the public areas of the EIU web site, brochures, flyers, handouts, and newsletters.
Public Information
Information designated by EIU for public distribution. Requires protection against unauthorized modifications. Examples of Public Information include: Press releases, Brochures, Flyers, Handouts, Newsletters, Public areas of the EIU web site
Internal
Any information that is generated during normal University business that does not contain sensitive information about an individual, is not covered by local State or Federal laws and is not covered by any contractual obligation for security or privacy is considered "Internal" information. Internal information requires a moderate amount of security controls to ensure that the information remains internal to the university, remains always available per need and State records requirements, and is protected against unauthorized and/or unwanted modifications. Examples of Internal information include memos, e-mails and other correspondence discussing University business, reports, and meeting agendas. Internal information is the broadest category of information and covers the majority of the information produced by the University.
Internal Information
Information created during EIU operation not covered by laws or regulations. Requires protection against unauthorized access, deletions, and modifications. Examples of Internal Information include: Memos, e-mails, faxes, reports, and meeting agendas. Default classification for University Information
Confidential
Any information that would, if released to the public, cause serious harm to the University and/or an individual, that is covered by State or Federal laws or is covered by any contractual obligation for security or privacy is considered "Confidential" information. Confidential information requires a significant amount of security controls to ensure that the information remains tightly controlled as required by State and Federal laws, contractual obligations or industry best practice. In general, access to Confidential information is based upon documented need, such as explicit job duties. Confidential information includes information covered by one or more State or Federal regulations such as FERPA, HIPAA, GLBA, and PIPA, information covered by security contractual obligations such as PCI DSS, Employee and Student records, information regarding sensitive University business and legal matters. To help control confidential information contained in the Banner system, several Data Custodians have been identified. The following Data Custodians determine how the information under their control is to be used and who may access this information from within Banner. To locate the appropriate Data Custodian, please visit the ITS Banner Page.
Confidential Information
Information relating to sensitive University business, confidential information on students, faculty or staff, and/or Information covered by law or regulation. Requires significant protection to meet legal requirements and avoid unauthorized access, deletions and modifications. Examples of Confidential Information include: Employee records, Student records, credit card and payment information, and legal business.
Default Classification
By default, any information that does not fall into the Confidential category and has not been designated Public should be considered as Internal.
Last Date Reviewed: 06/13/2024