RCIT-03 Reeves County Data Classification Policy
|
Policy Title: |
RCIT Reeves County Data Classification Policy |
|||
|
Policy Number |
RCIT-03 |
Effective Date: |
09/01/2022 |
|
|
Purpose: |
Provide Guidelines About Cloud Usage |
|||
|
Regulation Reference |
|
Rev: 1.202204 |
||
RCIT Reeves County Data Classification Policy
Policy Statement:
Data classification in the realm of information security involves categorizing data based on its sensitivity and the potential impact on the institution, its clients, or third parties if unauthorized disclosure, alteration, or destruction occurs. This policy establishes a framework for classifying organizational data, guiding the application of baseline security controls to safeguard the data.
Guidelines:
A. Classifications:
1. Highly Restricted:
- Definition: Information not public, accessible only to those with a legitimate need, and so sensitive that loss of confidentiality could cause significant harm.
- Includes Personally Identifiable Information (PII), Protected Health Information (PHI), Sensitive Reeves County Information, and System account credentials.
2. Restricted:
- Definition: Data not public by law, available to those with a legitimate need, less sensitive than Highly Restricted data.
3. Public:
- Definition: Data available to the public by law, and the loss of confidentiality would not cause significant harm.
- Examples: Press releases, class schedules, newsletters, and public announcements on Reeves County websites.
B. Collection and Use of Protected Information (Highly Restricted and Restricted Data):
- Highly Restricted and Restricted Data should only be collected, maintained, used, or disclosed as minimally necessary for Reeves County as required by law.
C. Transmission of Protected Information (Highly Restricted and Restricted Data):
- Must be transmitted securely using encryption technology, secure web transfer, or Secure File Transfer Protocol.
- Recipients must be made aware of confidentiality and security obligations.
- Routine exchanges with service providers may require contractual security agreements and third-party assessments.
D. Storage of Protected Information (Highly Restricted and Restricted Data):
- Users should save or store Protected Information in approved Reeves County Systems or Reeves County IT Resources.
- Portable media usage is subject to Reeves County Technology Use Policy, including encryption standards.
E. Policy Administration and Enforcement:
- Administered by the GEO IT Department.
- Exception requests can be submitted through the RCIT Help Desk procedure.
- Violations may lead to disciplinary actions, access restrictions, termination, and potential civil and criminal liability.
Policy Compliance:
- The institution prioritizes the security of information and IT resources.
- Violations may result in disciplinary actions, access restrictions, termination, and potential legal consequences.
- Employment terms align with collective bargaining agreements between the institution and any union but do not replace, amend, or supplement them.