Security :: Data Classification Standards

Printer-friendly versionSend by emailPDF version
Classification Description Examples

Level 1:
Need-to-know

 

 

Level 1 Confidential Information may only be used within HSU and access is limited to those with a "business need-to know." Statutes, regulations, and other mandates or legal obligations protect much of this information.

Disclosure of Level 1 data to anyone outside the University is governed by specific standards and controls designed to protect the information. Unauthorized use, access, disclosure, or acquisition of private or confidential information could mean financial loss or other damage to HSU, its students, employees, and customers. Legal action may result from the discovery of such unauthorized access.

Level 1 data is typically exempt from disclosure requirements under the California Public Records Act or other applicable state or federal laws.

Review the security standards for computers containing Level 1 data.

Review the security standards for disposal and transfer of devices containing Level 1 data

Confidential Information includes but is not limited to:

  • Passwords or other login credentials
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of Social Security Number and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver's license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Biometric information
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Law enforcement personnel records
  • Criminal background check results

 

Classification Description Examples

Level 2: Internal Use 

Level 2 Private Information is information that could raise ethical or other concerns if shared with individuals or entities that do not have the legal rights to have sight of such information.   

Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure or acquisition of Level 2 data could cause financial loss, damage to HSU’s reputation, or violate an individual’s privacy rights, and may make legal action necessary.  

Private Information includes but is not limited to:

  • Identity validation keys (with name): 
    • Birth date  - full: mm-dd-yy)
    • Birth date - partial: mm-dd only)  
  • Photo (taken for identification purposes)
  • Library circulation information
  • Trade secrets or intellectual property such as research activities
  • Location of critical or protected assets
  • Licensed software 
  • Vulnerability/security information related to a campus or system

Employee information (including student employees):

  • Employee net salary  
  • Home address  
  • Personal telephone numbers  
  • Personal email address  
  • Payment history  
  • Employee evaluations  
  • Pre-employment background investigations  
  • Mother’s maiden name  
  • Race and ethnicity  
  • Parents' and other family members' names  
  • Birthplace (city, state, country)  
  • Gender  
  • Marital status  
  • Physical description  

Student Information/Educational Records (not defined as "directory" information, typically):

  • Grades
  • Courses taken  
  • Schedule  
  • Test scores  
  • Advising records  
  • Educational services received  
  • Disciplinary actions 
  • Student photo

 

 

Classification Description Examples

Level 3: General use

Level 3 data is generally regarded as publicly available. It may be explicitly defined as public information, intended to be available to individuals both on and off campus, or not specifically classified elsewhere in this standard. Knowledge of this information does not expose the University to financial loss or jeopardize the security of HSU’s information assets.

Level 3 data may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure on a case-by-case basis.  

General information includes but is not limited to:

Campus Identification Keys

  • Campus identification number  
  • User ID (do not list in public or large aggregate lists to reduce chances of spam)

Student Directory Information (unless a student requests in writing that their directory information not be released, resulting in  a ‘confidentiality flag’ being set in their record) 

  • Educational directory information (FERPA)

Employee Information (including student employees): 

  • Employee title
  • Status as student employee (such as TA, GA, ISA)
  • Employee campus email address
  • Employee work location and telephone number
  • Employing department

 

Related Topics

Data Protection, Security
feedback