Text Size Default Text SizeDefault Text Size Large Text SizeLarge Text Size Largest Text SizeLargest Text Size Print Print this Page

Policy 6134

Data Classification

I. Purpose 

The purpose of this policy is to identify how the sensitivity of the university's data will be classified.

II. Definition  

Sensitivity: Sensitivity is the degree of adverse effect a compromise of confidentiality, integrity or availability would have on Commonwealth of Virginia interests, the conduct of university programs or the privacy to which individuals are entitled.

III. Policy 

University data owners, as defined in the Security Roles and Responsibilities policy, will be responsible for identifying all types of data handled by the university and classifying the sensitivity of the data. In determining the sensitivity of the data the requirements of federal, state and local laws must be considered.

  1. Classification of Data:
    1. Data will be classified based on the following:
      1. Public data is the least sensitive information and is acceptable for public consumption.
      2. Internal data is moderately sensitive information. All University data is considered Internal unless classified otherwise.
      3. Restricted data is highly sensitive information for which an unauthorized disclosure may result in identity theft or University liability for costs or damages under laws, government regulations or contract.
    2. Data owners are required to follow the instructions and format approved by the Information Security Office for conducting and completing their data classification. This includes an initial classification and the re-classification of data at least annually.
    3. Data Classifications will be publically available.
    4. Users will be responsible for the data they handle and adhering to the Data Handling Standards prescribed to consistently protect the data throughout its life cycle and in any form.

IV. Enforcement 

The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

Approved by the Board of Visitors, December 5, 2008.
Revised and approved by the Board of Visitors, September 11, 2009.
Revised and approved by the Board of Visitors, March 25, 2011.