WVSOM has a very low tolerance for risks that arise from inappropriate or unauthorized use and/or release of sensitive data (i.e. PII, FERPA, HIPAA, COPPA). Data elements may be maintained and archived in the pursuit of regular financial business operations, academic research, student communications, or other developed intellectual property for WVSOM. The WVSOM IT Department, as part of the Information Security Plan, requires our end-user community to report any suspected data breach through our incident reporting process within our service request system (Team Dynamix). As stated in institutional policy GA-31 Acceptable Use of IT Resources, WVSOM affiliated individuals, are expected to comply with data protection governed by Federal and State laws concerning collection, use, and disclosure of certain information. The WVSOM GLBA working group will identify annually, any changes to data that they are collecting and maintaining, while also reaffirming the proper retention and disposal requirements under institutional policy GA-11 Record Retention. The annual identification of the data will define its’ risk categorization as public-low sensitivity, private-moderate sensitivity, or restricted-high level sensitivity combined with the location of the data, data type (faculty, staff, student, other), and information type (Administrative, PII, FERPA, HIPAA, COPPA).
WVSOM has categorized its data and information systems into risk levels of sensitivity for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Accurate categorization provides the basis to apply an appropriate level of security to institutional data. These categorizations take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth.
Low level of sensitivity
Public data categorization is not considered confidential, and may be granted to a requestor and made accessible to the public and represents the lowest risk. Any loss of availability, integrity, and confidentiality would not be detrimental to the finances, safety, reputation or mission of WVSOM. However, the integrity of public data must be protected and maintained, with the owner of the data giving the appropriate authorization to replicate the data.
Internal Data, moderate level of sensitivity
The private data categorization is WVSOM proprietary in nature and may have other privacy and ethical considerations, but not necessarily a direct compliance requirement (statutory, regulatory or legal) requiring protection and presents moderate risk. The loss of availability, integrity and confidentiality could have a mild impact to the finances, safety, reputation or mission of WVSOM. The private data categorization should be reserved for WVSOM personnel who have a job function related to its relevancy and business purpose for accessing it.
Confidential, highest level of sensitivity
The restricted data categorization is applied to the most confidential data elements that are protected by statues, policies and regulations (FERPA, HIPAA, PCI DSS) and presents the highest risk. It may include data that isn’t under legal statute, but data which the WVSOM data administrators and owners have deemed to have restricted access. The loss of availability, integrity, and confidentiality could have a substantial, negative impact to WVSOM and its finances, safety, reputation or mission.
Use the examples below to determine which data categorization standard is appropriate for a particular type of data. When mixed data falls into multiple categories or has multiple levels of sensitivity, use the categorization with the highest sensitivity level across all.
An application is defined as software running on a server that is network accessible or installed on a local machine.
A server is defined as a host that provides a network accessible service.
WVSOM Information Technology Department has put together a list of approved services and associated categories (login required).