Main content

Campus Technology Services

10
27
Our Hours Today:
8:00am-6:45pm

Information Sensitivity Policy

 

  • Purpose

The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Purchase College without proper authorization.

 

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).   All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect confidential information. The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the College’s Information Security Officer (ISO).

       

  • Scope

All Purchase College information is categorized into two main classifications:

  • Public Information

  • Confidential Information

 

Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any adverse consequences. As a public institution, the College publishes a wide range of information including enrollment statistics, strategic planning information, operational procedures, etc. As an educational institution, the College seeks open communication and participation from its community students, faculty and employees, and the public we serve.

 

Confidential information contains all other information, and is  a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Confidential information should be protected closely, and includes various types of information:

  • All personally identifiable information on students, employees, or other individuals;

  • College information of a sensitive nature (vendor evaluations and selection processes; contingency plans; confidential meeting minutes, etc) and other information integral to the success of the College should be considered “confidential” within common sense guidelines. This information is intended for use by College employees only, and for official business only. Following the principle of academic freedom and open communication, this information may be shared within the college community, but it should not be publicly available.

  • Also included in confidential information is other information that is less critical, such as telephone directories, general information, personnel information, enrollment strategies, targets, and statistics etc., which does not require as stringent a degree of protection. Inquiries regarding this information from outside the College should be directed to supervisors.

  • Another subset of confidential information is ” Third Party Confidential” information. This is confidential information belonging or pertaining to another entity which has been entrusted to Purchase College by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from vendor lists, customer lists, and supplier information. Information in this category ranges from extremely sensitive relatively open, and again, common sense should apply, with referrals to supervisors if there is any doubt.

 

In all cases, Purchase College personnel are encouraged to use common sense judgment in securing confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor.

      

  • Policy

The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as information in each category may necessitate more or less stringent protection depending upon the circumstances and the nature of the confidential information in question.

        

  • Minimal Sensitivity: General College information; some personnel and technical information

 

Marking guidelines for information in hardcopy or electronic form: Marking is at the discretion of the owner or custodian of the information. If marking is desired,  “Confidential” may be written or designated in a conspicuous place on or in the information in question. Even if no marking is present, College information is presumed to be “Confidential” unless expressly determined to be Public information by a Purchase College employee with authority to do so.

 

Access:  Purchase College employees, contractors, people with a business need to know.

Distribution within Purchase College:  Standard interoffice mail, College electronic mail and electronic file transmission methods.

Distribution outside of Purchase College internal mail:  U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods.

Electronic distribution:  No restrictions except that it be sent to only approved recipients.

Storage:  Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.

Disposal/Destruction:  Deposit outdated paper information in specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

 

  • More Sensitive: Business, financial, technical, and most personnel information

 

Marking guidelines for information in hardcopy or electronic form: As the sensitivity level of the information increases, you may, in addition or instead of marking the information “Confidential” or “Proprietary”, wish to label the information ” Purchase College Internal Use Only” or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times.

 

Access:  Purchase College employees and non-employees with signed non-disclosure agreements who have a business need to know.

Distribution within Purchase College:  Standard interoffice mail, College electronic mail and electronic file transmission methods.

Distribution outside of Purchase College internal mail:  Sent via U.S. mail or approved private carriers.

Electronic distribution:  No restrictions to approved recipients within Purchase College, but should be encrypted or sent via a private link to approved recipients outside of Purchase College premises.

Storage: Individual access controls are highly recommended for electronic information.

Disposal/Destruction:  In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

            

 

  • Most Sensitive: marketing, operational, personnel, financial, source code, & technical information integral to the success of the College

 

Marking guidelines for information in hardcopy or electronic form: To indicate that Purchase College Confidential information is very sensitive, you may should label the information “Purchase College Internal: Registered and Restricted”, ” Purchase College Eyes Only”, “Purchase College Confidential” or similar labels at the discretion of your individual business unit or department. Once again, this type of  confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.

 

Access:  Only those individuals (Purchase College employees and non-employees) designated with approved access or non-disclosure agreements.

Distribution within Purchase College:  Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods.

Distribution outside of Purchase College internal mail:  Delivered direct; signature required; approved private carriers.

Electronic distribution:  No restrictions to approved recipients within Purchase College, but it is highly recommended that all information be strongly encrypted.

Storage:  Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer.

Disposal/Destruction:  Strongly Encouraged: In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

 

  • Enforcement

Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment.

 

  • Terms and Definitions

 

Appropriate measures

To minimize risk to the College from an outside connection or individual. Purchase College computer use by unauthorized personnel must be restricted so that, in the event of an attempt to access Purchase College corporate information, the amount of information at risk is minimized.

 

Configuration of Purchase College-to-other business connections

Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.

           

Delivered Direct; Signature Required

Do not leave in interoffice mail slot, call the mail room for special pick-up of mail.

           

Approved Electronic File Transmission Methods

Includes supported FTP clients and Web browsers.

           

Envelopes Stamped Confidential

You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and mark it confidential.

           

Approved Electronic Mail

Includes the campus mail system supported by CIS only. If you have a business need to use other mail services contact the appropriate support organization.

           

Approved Encrypted email and files

Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms.

           

Purchase College Information System Resources

Purchase College Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.

           

Expunge

To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, such as that supplied as a part of Norton Utilities. Otherwise, the PC or Mac’s normal erasure routine keeps the data intact until overwritten.

            

Individual Access Controls

Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner.

 

Insecure Internet Links

Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of Purchase College.

           

Physical Security

Paper Information: Sensitive information should be secured in locking fireproof cabinets, locked cabinets, or locked and alarmed offices depending on the nature of the information. Visitors should be escorted when in areas containing confidential information. Confidential information should not be left unattended or in plain sight in publicly accessible areas. Confidential information that is outdated or no longer needed, and for which retention schedules have expired should be stored in appropriately marked containers until shredded.

 

Electronic information: Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.

                       

Identity Verification:

Individuals or organizations requesting confidential information should be challenged to provide appropriate credentials and their identity verified before releasing confidential information to them.