USNH Information Classification Policy - Proposed

OVERVIEW 

The proposed USNH Information Classification Policy replaces the existing USNH Data Classification Policy as well as existing policy provisions from institution level policies ensuring all USNH institutions and community members are using the same classification structure for institutional information. 

You can review the proposed USNH Information Classification Policy here.

This Policy is currently open for Public Comment.  You can submit feedback, questions, or comments here.

 

MAPPING TO CURRENT POLICIES


The following existing policies will be replaced in full by the new USNH Information Classification Policy. A complete mapping of each institution's existing policy to the new Policy is provided at the links below. 

A comprehensive map of all impacted institutional policies to the new Policy can be found here.
(This is the same mapping information as the institutional maps, just in aggregate.)

 

DETAILED EXPLANATION OF CHANGES

There are four fundamental changes to the existing USNH Policy being proposed:

Data to Information

We are proposing that the name of the policy be changed to USNH Information Classification Policy.  Using the word “information”, which is inclusive of, but not limited to data aligns the naming of the policy more clearly with its intent and the way it should be implemented – classification, and the handling requirements associated with the different tiers of classification, is applicable to all institutional information, regardless of its form.  Using the word “data” can imply that the policy only applies to information stored digitally.  

This does not change anything demonstrably at any institution as most non-digital information is already treated as in-scope for classification.

Consistent Terminology and Classification

We are proposing that the tiered classification structure outlined in the new Policy be implemented and enforced at all institutions. Currently, the USNH Data Classification Model is used/implemented to varying degrees across the four institutions.  Moving forward, all institutions need to adopt/implement the same Policy for information classification and the same Standards for information handling.  

This represents a change for all institutions and is necessary to support the consolidation of information technology resources, services, and functions at the system-level.  

Expansion to Five Classifications

We are proposing that the existing classification structure, which includes three classifications, be expanded to five classification “tiers”.  This represents a change for all institutions and is intended to make it easier to define and enforce specific information handling requirements aligned with regulation and industry standard.   The use of Tiers is intended to provide a quick visual reference to indicate the order of the classifications (e.g., Tier 5 Confidential is more stringent that Tier 3 Protected).

The proposal is to split the “RESTRICTED” classification, which currently includes any information that is protected by regulation, including FERPA, GLBA, HIPAA, and PCI-DSS, into three distinct classification tiers outlined below:

  • TIER 5–CONFIDENTIAL: Includes HIPAA, PCI-DSS, and some Research information based on contractual requirements
  • TIER 4-RESTRICTED:  Includes SSN, FLMA, GLBA, other protected personally identifiable information, information technology information, and some Research information based on contractual requirements
  • TIER 3 – PROTECTED: Includes FERPA and some Research information based on contractual requirements

This change is being proposed to make is easier to define and document clear information handling Standards for each Tier.  By moving FERPA and HIPAA/PCI to new, separate tiers, we can more closely align the security controls required to safeguard each type of information, without imposing any of the more onerous security controls, required to ensure compliance with other regulations, on the broader academic community.  

This represents a demonstrable change for all institutions.

Documented Information Handling Standards

To better support the USNH community in understanding their information handling responsibilities, we will be documenting Information Handling requirements for each Tier as a Cybersecurity Standard.   This accomplishes two goals 1) further reinforcing consistency in data handling across all USNH institutions and 2) providing documented standards that can be used to demonstrate compliant practices for audits and assessments. 

In this instance a “Standard” is a type of policy document that provides all the detailed information needed to comply with a policy or with part of a policy.  For example, the Information Classification Policy requires that “All USNH and component institution information shall be protected appropriately based on the classification of that information.”  The individual Information Handling Standards for each classification tier define the specific security controls that equate to “protected appropriately”.  Each Information Handling Standard will define and document things like where information can be stored, how it can be shared, who it can be shared with, if it can be emailed, etc.  

These Standards are being documented with the help of the appropriate data stewards at each institution and will become effective at the same time as the new Policy.  Currently, we plan to develop the following Standards in support of this Policy:

  • Public and Sensitive Information Handling Standard
  • Protected Information Handling Standard
  • Restricted Information Handling Standard
  • Confidential Information Handling Standard

This represents a demonstrable change, to varying degrees, for all institutions as some detailed information handling requirements were defined in institutional policies. 

 

ADDITIONAL SECTIONS ADDED

While much of the content in the new USNH Information Classification Policy can be mapped to provisions in the USNH Data Classification Policy, the following new sections were added to this Policy.  

 

New Section – 4.7 Information Handling Requirements

The new Policy adds a section that makes Cybersecurity & Networking, with oversight by the institutional data stewards, responsible for defining, documenting, and publishing information handling requirements for each classification tier.

Standards related to this section:

  • Public and Sensitive Information Handling Standard
  • Protected Information Handling Standard
  • Restricted Information Handling Standard
  • Confidential Information Handling Standard

Note: All four Information Handling Standards will be available for review in late February/early March 2021.

 

New Section – 4.8 Clarification on Classification

The new Policy adds a section that makes Cybersecurity & Networking the USNH community's central point of contact for questions about classification.  The intention of this provision is to make it as simple as possible for those with questions to know who to contact to get answers.  

 

New Section – 5 Enforcement

The new Policy adds an Enforcement section that mirrors all the other Technology/Cybersecurity Policies. 

 

New Concept – 7 Exceptions

The new Policy introduces the concept of Policy exceptions and directs community members to the detailed requirements related to these exceptions provided in the Cybersecurity Exception Standard.  This concept, section, and Standard reference will be consistent across all  Technology/Cybersecurity Policies and the related Standards.

Standards related to this section:

 

New Concept – 8 Roles & Responsibilities

The new Policy adds a section to list Roles & Responsibilities defined in the Policy provisions.