Data Classification and Handling Policies

Information Classification Standard

The SDSU College of Education (COE) has adopted the draft CSU Data Classification and SDSU Information Classification Standards as a minimum information classification standard. These standards outline three levels of classification and standards (Protected Level 1, 2 and 3) to which information must be secured. Along with these standards, the following guidelines and policies have been established by the COE to assist in reducing exposure to information and data loss.

Information security is essential whether information is conveyed electronically, over the phone or in written documents, whether it is acquired, transmitted, processed, transferred and/or maintained by the COE.

All COE faculty, staff, project directors and entities working on behalf of COE are subject to these guidelines and policies, and to SDSU Information Security policies and procedures, including periodic Security Awareness Orientation training.

Protected Level 1 information is information primarily protected by statutes, regulation, other legal obligation or mandate. The CSU and SDSU have identified standards regarding the disclosure of this type of information to parties outside the College of Education and controls needed to protect the unauthorized access, modification, transmission, storage or other use. Level 1 Confidential information is intended for use by the COE and access is limited to those with a “business need-to-know.” Included in this level are:

  • Passwords or credentials
  • PINs (Personal Identification Numbers)
  • Credit/debit/payment card numbers with any of the following:
    • cardholder name
    • expiration date
    • card verification code
  • Social Security number or Tax ID with name
  • Birthdate with name and last four digits of social security number
  • Driver’s license number, state identification card, and other forms of international identification (such as passports, visas, etc.) with name or social security number
  • Name with bank account information or bank account information with password, security code or any other access code information
  • Private key (digital certificate)
  • Health insurance information
  • Medical records related to an individual (including disability information)
  • Psychological counseling records related to an individual
  • Electronic or digitized signatures
  • Employee name with personally identifiable employee information:
    • Mother’s maiden name
    • Race and ethnicity
    • Gender
    • Birthplace (city, state, country)
    • Employee net salary
    • Marital status
    • Physical description/personal characteristics
    • Employment history (including recruiting information)
    • Biometric information
    • Electronic or digitized signatures
    • Parents and other family member names

Protected level 2 information must be guarded due to proprietary, ethical or privacy considerations. The final authorities for approving departmental procedures for the use, storage and dissemination of protected level 2 information are listed in Table 3-2. University standards will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use of:

  • Student name with personally identifiable educational records
    • Birth date (full: mm-dd-yyyy or partial: mm-dd only)
    • Courses taken
    • Schedule
    • Test scores
    • Financial aid received
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Photograph
    • Most recent educational agency or institution attended
    • Participation in officially recognized activities and sports
    • Weight and height of members of athletic team
    • Grades
    • SDSU identification number (RedID)
    • Race & Ethnicity
    • Gender
    • Transcripts
    • E-mail addresses
  • Employee name with personally identifiable employee information
    • Birth date (full: mm-dd-yyyy or mm-dd)
    • Emergency contact home address
    • Emergency contact personal telephone number
    • Emergency personal contact information (name, cell phone, pager)
    • Personal telephone numbers
    • Personal vehicle information
    • Personal email address
    • Parents and other family member names
    • Payment history
    • Employee evaluations
    • Background investigations
    • Photograph (voluntary for public display)
  • Other
    • Legal investigations conducted by the College of Education
    • Sealed bids
    • Trade secrets or intellectual property such as research activities
    • Location of highly sensitive or critical assets (e.g. safes, check stocks, etc.)
    • Library circulation information
    • Vulnerability or incident information
    • Licensed software
    • Attorney/client communications
    • Third party proprietary information per contractual

Protected level 3 is information that is regarded as publicly available. This information is either explicitly defined as public information (such as state employee salary ranges), intended to be available to individuals both on-campus and off-campus (such as employee work email addresses), or not specifically classified elsewhere in the protected information classification standard. Publicly available information may still be subject to College of Education review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

  • Student information designated as Educational Directory Information (excluding grades):
    • Student name
    • Major field of study
    • Dates of attendance
    • Degrees, honors and awards received
  • Employee Information (including student employment)
    • Employee title
    • Employee name (first, middle, last; except when associated with protected information)
    • Enrollment status
    • Department employed
    • Work location and telephone number
    • Work e-mail address
    • Employee classification
    • Status as student (such as TA, GA, ISA)
    • Employee gross salary
    • Signature (non-electronic)
    • SDSU identification number (RedID)

Where several categories apply, use the highest level of security, that is, use Level 1 versus Level 2 and so on. Questions about the proper classification of a specific piece of information should be addressed to your manager.

Non-State (personal) information (both electronic and non-electronic), such as personal credit reports, personal bank statements, or even contact information from a synchronized cell phone or PDA should not be stored on the COE systems as the COE does not assume responsibility for securing this information and many systems may not be secured for this information by default. Personal information does not just pertain to first party personal information (yours), but also to any third party personal information (someone else’s).

The full information on the Information Classification Standard is available in the San Diego State University Information Security Plan, Section 3.0.

Information Labeling Guidelines

Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words "Protected Level 1 (PL1)” , “Confidential”, “Protected Level 2 (PL)” or “Internal Use” may be written or designated in a conspicuous place on or in the information in question. Other labels identifying the data classification may be used at the discretion of individual business units or departments.

If no marking is present, the COE information is presumed to be "the COE Confidential" unless expressly determined to be the COE Public information by a the COE employee with authority to do so.

Information Handling Guidelines

The following guidelines are presented to assist PI’s, project directors, employees and vendors working with the COE secure information. The final authorities for approved procedures are documented in Table 3-2 Approvers for Protected Information Procedures in the San Diego State University Information Security Plan.

Procedures for Handling Protected Level Information

Protected Level 1:

  1. Must be attended, with someone physically present at both ends of the FAX machine.
  2. FAX machine should be located in secure area, with access limited to authorized personnel.
  3. EXCEPT for credit card information for payments which should not be faxed under any conditions. Procedures for faxing credit card payment information must be reviewed and approved by the appropriate campus and Foundation authorities. Contact the SDSURF Director of Finance & Accounting for additional information.

Protected Level 2:

  1. Should be attended, with someone physically present at both ends of the FAX machine.

Protected Level 3:

  1. Yes

Additional FAX procedures

  • Whenever possible, information should be sent only to FAX machines at known locations, where the physical security of the receiving machine can be assured. If you are not sure, verify with the recipient.
  • Sensitive documents – inbound or outbound- should not be left sitting on or around the FAX machine.

Protected Level 1:

  1. Must be encrypted
  2. With approved procedures

Protected Level 2:

  1. Should be encrypted
  2. With approved procedures

Protected Level 3:

  1. With approved procedures for aggregate data.

Level 1:

  • Must be encrypted
  • With approved procedures

Protected Level 2:

  1. With approved procedures

Protected Level 3:

  1. With approved procedures for aggregate data.

Protected Level 1:

  1. Must be encrypted
  2. With approved procedures

Protected Level 2:

  1. Should be encrypted
  2. With approved procedures

Protected Level 3:

  1. With approved procedures for aggregate data.

Additional email procedures

  • SDSU e-mail is not encrypted by default.
  • Never forward emails containing Protected Level 1 information to personal email accounts.

Protected Level 1:

  1. With approved procedures

Protected Level 2:

  1. With approved procedures

Protected Level 3:

  1. Yes

Protected Level 1:

  1. No
  2. Cell phones used for authorized university purposes may store, with approval, and must be encrypted.

Protected Level 2:

  1. No

Protected Level 3:

  1. Yes

Protected Level 1:

  1. Must be encrypted
  2. With approved procedures

Protected Level 2:

  1. Should be encrypted
  2. With approved procedures

Protected Level 3:

  1. With approved procedures

Protected Level 1:

  1. Should be encrypted
  2. With approved procedures

Protected Level 2:

  1. With approved procedures

Protected Level 3:

  1. Yes

Protected Level 1:

  1. With approved procedures
  2. Physically secured if accessible by unauthorized individuals

Protected Level 2:

  1. With approved procedures

Protected Level 3:

  1. Yes

Additional Procedures

  • When open for business, unattended areas should be kept secure and locked whenever possible. If a door to a restricted area can’t be locked, it should be closed. 
  • All protected information must be removed from desks and locked in a drawer or file cabinet when the workstation is unattended and at the end of the work day. 
  • Office doors should be locked when you leave. 
  • Be particularly careful that visitors can’t easily see computer screens. 
  • Physical access to sensitive office equipment should be controlled, including computers, printers, photocopiers, fax machines and file cabinets with paper records. 
  • File cabinets containing protected information must be locked when not in use or when not attended.

Protected Level 1:

  1. Shred immediately
  2. Physically secured until shredded
  3. With approved procedures

Protected Level 2:

  1. Shred
  2. With approved procedures

Protected Level 3:

  1. In trash or recycling

Protected Level 1:

  1. Electronically overwritten or destroyed
  2. Physically secured until disposed
  3. With approved procedures

Protected Level 2:

  1. Electronically overwritten or destroyed
  2. Secured until disposed With approved procedures

Protected Level 3:

  1. Electronically overwritten or destroyed
  2. Secured until disposed
  3. With approved procedures

Protected Level 1:

  1. Should be labeled as “Protected Level 1”
  2. Should be physically secured

Protected Level 2:

  1. Should be labeled as “Protected Level 2” or “Confidential”
  2. Should be physically secured

Protected Level 3:

  1. Yes

Protected Level 1:

  1. Must have password protected voice messaging
  2. With approved procedures

Protected Level 2:

  1. Must have password protected voice messaging
  2. With approved procedures

Protected Level 3:

  1. Yes

Additional voice mail procedures

  • Do not leave protected/personal information on voice mail systems.
  • Only names and callback numbers should be left on voicemail systems.
  • If you use a voice mail system, turn the volume down so that incoming messages cannot be overheard when left or played back.

Protected Level 1:

  1. When possible, hand deliver.
  2. In sealed container
  3. Not visible outside container
  4. Tagged “Confidential”

Protected Level 2:

  1. When possible, hand deliver.
  2. In sealed container
  3. Not visible outside container
  4. Tagged “Confidential”

Protected Level 3:

  1. Yes

Protected Level 1:

  1. In sealed container
  2. Not visible outside container
  3. Tagged “Confidential”

Protected Level 2:

  1. In sealed container
  2. Not visible outside container
  3. Tagged “Confidential”

Protected Level 3:

  1. Yes