The following information is to help university employees effectively manage information. Determining how to protect & handle information depends on a consideration of the information’s type, importance, and usage. Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.
APPLIES TO:
University employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of university data, information, and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting university business (administrative, financial, education, research or service). “Handling” information includes, but is not limited to, the following: creating, collecting, accessing, viewing, using, storing, transferring, mailing, managing, preserving, disposing, or destroying.
This is not an all-encompassing list. For information or attributes not listed, or when in doubt, please contact [email protected] or set up a consultation with IT Security Office.
When mixed data falls into multiple categories, use the highest classification. That is the high watermark to which the controls must be applied.
Highly Sensitive Data
| Storage Location | Additional Information | Protected – Highly Sensitive Data | Justification |
|---|---|---|---|
|
The following student Information/ records:
Attributes defined as ‘Directory Information’ in Mason: FERPA For Student Financial Aid that constitutes Federal Tax Information (FTI)**, refer to the separate listing below. |
| |
|
Passwords/PINs and cryptographic private keys associated with User ID and/or system or technology services |
| ||
The following attributes when used in this combination should only be released to non-school officials for verification purposes.
| |||
|
Datasets containing Date of Birth |
| ||
|
Personally Identifiable Information (PII)* *Any personal information that can lead to identity theft if exposed. IMPORTANT: credit card data MUST NEVER be stored on Mason systems. |
Social Security Numbers (SSN) | ||
|
Financial account numbers | |||
|
Driver’s license, state ID, military ID, passport, visa numbers | |||
|
Protected Health Information |
Medical/mental history, treatment, or diagnoses information; health insurance policy numbers, protected health information in hard copy or electronic formats. | ||
|
Allegation and investigation records (all roles including students) |
| ||
|
Data that must be withheld from release under the Virginia Freedom of Information Act (FOIA). | |||
|
Engineering, design, or operational information associated with Mason’s infrastructure. Such information should also be evaluated for FOIA exemption. This would include Network diagrams that contain detailed configuration information or network devices associated with systems categorized as ‘High” category. | |||
|
Draft financial statements and similar reports that have not been approved for publication or distribution. |
| ||
|
Information shared by vendors or other parties under confidentiality or non-disclosure agreements. |
| |
|
**Federal Tax Information (FTI) for Federal Student Aid Programs | ||
| * Contact the Office of Research Integrity and Assurance for applicable requirements and control restrictions |
Research Support Services: Export control, Controlled Unclassified Information (CUI) | ||
|
Research Support Services: Controlled Unclassified Information (CUI) |
Restricted Data
Storage Location | Protected – Restricted | Justification |
|---|---|---|
| Student information attributes that may not be released under the directory information exception of FERPA. These are:
See Code of Virginia § 23.1-405(C) for conditions. | |
|
Unpublished research data that are not classified as Highly Sensitive Data (by the Principal Investigator or the Data Owner) |
| |
| G numbers, Cardinal ID (by themselves, without any context or other attributes) |
| |
|
Employment applications, employee performance evaluations, and personnel files without PII, as well as non-directory contact information |
| |
|
Personnel and financial information not covered by the definition of Highly Sensitive Data, but not intended to be made public. |
| |
|
Internal communications and email, non-public reports or contracts, intellectual property, and all other information releasable in accordance with the Virginia Freedom of Information Act. |
| |
| Donor contact information and non-public gift information |
| |
|
Research project datasets that:
| |
|
Research project datasets with agreements that DO NOT contain restrictions from the Data Owner/Sponsor/Prime/Sub around not storing that data on laptops or desktops, AND:
|
Public Use Data
| Storage Location | Public Use Data | Justification |
|---|---|---|
| Published directory information (faculty, staff, students, etc.) | |
| Research data that is unrestricted or based on publicly available information | Public Use | |
| George Mason’s Public Websites | Public Use | |
| Procedure manuals designated by the owner as intended for public use | Public Use | |
| Employment advertisements | Public Use | |
| Information in the public domain (e.g., campus maps, parking information, published news releases and announcements, events calendars) | Public Use |