Data Classification - Sensitivity Labels Explanation

Data Classification

0 - Public

Minimum Security

NA

Damage

NA

Risk

NA

Content Marking

None

Encryption

None

External User Access

Allowed

Description

This information can be shared with anyone in the world on publicly accessible channels; there is no limit on disclosure.

Examples

• University financial data or business records available to the public 

• Approved meeting minutes 

• Administrative process data 

• Data about decisions that affect the public 

• Other university public data 
• General access data, such as that on unauthenticated portions of the institution’s website 
• Marketing
• www.alfredstate.edu
• Handouts
• Commercials
• Public Statements

Data Classification

1 - General

Minimum Security

Low

Damage

No Damage

Risk

Low

Content Marking

Optional

Encryption

None

Description

This information may be shared within our community, including customers and partners, but not via publicly accessible channels.

Examples

• University financial data or business records available to the public 

• Approved meeting minutes 

• Administrative process data 

• Data about decisions that affect the public 

• Other university public data 
• General access data, such as that on unauthenticated portions of the institution’s website 

Data Classification

2 - Confidential - External

Minimum Security

Medium

Damage

Could cause harm to Alfred State College if compromised.

Risk

Medium

Content Marking

Yes Header

Encryption

• Yes
• Authenticated Users assigned Co-Owner.  Their access never expires.
• Limited to 30 days of offline access

External Access

Allowed with Authenticated Users, new and existing guests

Offline Access

30 Days

Description

Use when handling sensitive information intended for specific people inside or outside the organization.

Examples

• Procurement documents such as invoices, purchase orders, receipts, schedule of work, terms and conditions
• Consulting or professional services on business or security sensitive topics
• FERPA
• GLBA
• Social security number (SSN)  
• Driver license number 
• State-issued non-driver ID number 
• Bank/financial account number 
• Credit/debit card number (CCN) 
• Protected Health Information 
• Passport number 
• College IT authentication credentials 
• Documents protected by attorney-client privilege 
• FERPA-protected data 
• Gramm-Leach Bliley data 
• Final course grades, exam questions or answers 
• HR employment data 
• Law enforcement investigation data, judicial proceedings data includes student disciplinary or judicial action information 
• Public Safety information 
• IT infrastructure data 
• Collective bargaining negotiation data, contract negotiation data 
• Trade secret data 
• Protected data related to research 
• University intellectual property 
• University proprietary data 
• Data protected by external non-disclosure agreements 
• Inter- or intra-agency data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination 
• External audit data 
• University person number 
• Licensed software 
• Certain nonpublic Intellectual Property 

Data Classification

3 – Confidential - Internal

Minimum Security

Medium to High

Damage

Serious Impact to Alfred State College is likely if compromised.

Risk

Medium to High

Content Marking

Yes; Header

Encryption

• Yes
• Alfred State College Users and groups assigned Co-Owner access never expires.
• Limited to 30 days of offline access

External Access

No; ASC Only

Description

Disclosure of this information is limited, and sharing is restricted to users within the organization only.

Examples

Same as Confidential – External but if external sharing is not needed or required.

Data Classification

4 – Confidential – Eyes Only

Minimum Security

High

Damage

Serious Impact to Alfred State College is likely if compromised.

Risk

High

Content Marking

Yes; Header

Encryption

• Yes
• Alfred State College authenticated users assigned Viewer.  Their access never expires.
• Limited to 30 days of offline access

Description

For the eyes and ears of individual recipients only, no further disclosure is allowed. Recipients cannot print, forward or copy the information.

Examples

• Controlled or sensitive internal communication that is not intended to be shared.