1.0 Purpose

All Elon University data needs to be protected on some level. There are gradations that require different levels of security. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. All Elon University data should be categorized as high risk, confidential, or public according to the following guidelines:

High Risk data includes information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Data covered by federal and state legislation, such as Family Education Rights and Privacy Act, Health Insurance Portability and Accountability Act or the GrammLeachBliley Act, are in this class. Payroll, personnel, student, and financial information are also in this class because of privacy requirements.

This policy recognizes that other data may need to be treated as high risk because it would cause severe damage to Elon University or and individual if disclosed or modified. The system administrator or departmental system owner should make this determination in partnership with Christopher Waters. It is the data owner’s responsibility to implement the necessary security requirements and controls.

Confidential data includes information that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. It is the data owner’s responsibility to implement the necessary security requirements and controls.

Public data includes all information that may be freely disseminated.

2.0 Scope

This policy applies to all persons who have access to Elon University systems, services, or equipment accessing University data.

3.0 Policy

All information resources should be categorized and protected according to the categories listed above. The data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the University. Data owners must determine the data classification and must ensure that the person given access to the data is protecting the data in a manner appropriate to its classification. Data custodians are responsible for creating data repositories and data transfer procedures which protect data in the manner appropriate to its classification. High risk and confidential data must be encrypted during transmission over insecure channels. All appropriate data should be backed up weekly, and the backups tested quarterly, as part of a regular process. Data backups must be handled with the same security precautions as the data itself.