University Data Classification Policy

1. Purpose

The purpose of this policy is to establish a standardized framework for classifying institutional data according to its sensitivity, value, and risk to the institution. Classification creates a shared vocabulary and helps ensure that all University data is handled, stored, transmitted, and disposed of in a manner that protects confidentiality, integrity, and availability.

2. Scope

This policy applies to all faculty, staff, students, contractors, and third parties who access, manage, store, or transmit University data in any form, including electronic, paper, and verbal.

3. Roles and Responsibilities

Data Stewards: Individuals entrusted with implementing controls and managing data on behalf of the University.
Data Users: Anyone who accesses or interacts with University data.
IT Security Office: Provides guidance, implements safeguards, and monitors compliance.

4. Data Classification Levels

The University establishes four distinct data classification levels, as defined below, to ensure the appropriate protection and management of institutional information assets.

In the event of ambiguity or dispute regarding the classification of a specific data element, personnel shall consult both the designated Data Steward for the respective functional area and the Information Technology (IT) Security Office to determine the correct classification level.

Level 1 – Public

Information intended for public disclosure with minimal risk to the University. Few restrictions; generally releasable to a member of the public upon request.

Examples:
- University website content
- Public event announcements
- Published research
- Marketing materials
- Campus maps and general brochures
- Public course catalog information

Level 2 – Internal

Information not intended for public release but posing limited risk if disclosed. Internal Information may be accessed by eligible employees and designated appointees of the university conducting university business. Information should be protected by the University Single Sign On or similar authentication.

Examples:
- Internal emails and memos
- Departmental meeting minutes
- Operational documents without regulated data
- Routine financial reports
- FERPA-designated directory information (e.g., name, major, enrollment status), unless a student has opted out
- Internal procedural guidelines not containing sensitive security details (usernames and passwords, API keys, encryption keys, MFA passcodes, etc)

Level 3 – Confidential

Information that could cause harm to individuals or the University if improperly accessed or disclosed. Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization, or only selective access may be granted.

Examples:
- Student or Employee ID numbers
- Student academic records (FERPA non-directory information)
- Employee HR files
- Non-public research data
- Internal budgeting and strategic planning documents
- Student conduct and disciplinary records
- Donor information not including financial account data
- Dates of Birth
- Contracts, Subpoenas, and Legal Requests

Level 4 – Restricted

Information requiring the highest level of protection due to elevated risk. These are Institutional Data that contain information that, if exposed, can lead to exceptionally grave damage to UIndy’s mission, safety, finances, or reputation. Inappropriate handling of this data could result in criminal or civil penalties, identity theft, personal financial loss, or invasion of privacy. Access to this type of data shall require authorization and legitimate need-to-know by University employees. This information shall be protected by SSO, Multifactor Authentication and other strict technical controls.

Examples:
- Social Security Numbers
- Protected Health Information (HIPAA)
- Credit card numbers (PCI-DSS)
- Authentication credentials: usernames and passwords, api keys, cryptographic keys
- Financial Aid Applications
- Financial account numbers
- Export-controlled research data (ITAR/EAR)