Purpose

            
The purpose of this compliance standard is to provide the university community with a clear understanding of the ethical and proper use of data contained within university systems. This policy outlines the proper use and classification of information assets on university systems.

            
Data Classification

            
Data classification is assigned to protect data. Any user or automated system interacting with a university operated or sponsored computer resource must comply with the defined data classification levels. A data classification level is assigned to all information that is maintained, stored, or produced by university systems.

           Data owners will perform an annual assessment of the information contained in their systems and will classify that information according to the classification levels defined in this policy.

           Security administrators will take appropriate steps on the information system to safeguard the information according to its classification level.

           The Information Classification levels are (from highest to lowest):

            
Trade Secret

            
A trade secret represents the highest level of Intellectual Property (IP) that the university maintains. If trade secret information is disclosed, it may harm the competitive edge of the university, or may otherwise significantly hamper the university's ability to function.

            
Sensitive

            
Sensitive information requires special precautions to ensure the integrity and confidentiality of the information in its storage, usage, and transmittal. This information must be protected from unauthorized modification or retrieval, and is not generally disclosed. Sensitive information may be used with third parties when safeguards and countermeasures are in place to protect that information. Unauthorized disclosure of sensitive information can adversely and/or seriously affect the university as a whole or in part.

            
Private

            
Private information is information that is specific to a person that is used by the university. Unauthorized disclosure of private information can adversely affect persons associated with the university, although it may not necessarily affect the university as an entity. Permission must be obtained from the person in order to disclose private information to a third party.

            
Confidential

            
Confidential information is for use only to select persons or systems within the university, and is distributed on a need to know basis between members of the university staff, its systems, and specific third parties where appropriate. Confidential information, by its very nature, is exempt from disclosure under the Freedom of Information Act. Unauthorized disclosure of confidential information can adversely affect the university as a whole or in part.

            
Public

            
Public information is, by its very nature, designed to be used by anonymous persons or systems which may have an interest with the university. Public information is routinely disclosed and made freely available.

           Further, the university also depends on data exchange with certain outside third party organizations, and the university must make sure that information is exchanged according to this policy based on the information classification level.

           Violations of this policy should be reported to the OCCS Security Group.

            
Definitions

            
Data Owner is the individual responsible for decisions regarding data. Data Owner is also referred to as Data Steward, Business Owner, or Executive Sponsor.

            
An Information Asset represents individual data elements, data lists, addresses, documents, measurement samples, programs, program source code, recorded ideas, aggregations of data, and other intellectual property produced by members of the university.

            
Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.

            
Security Administrators are individuals who ensure that appropriate controls, mechanisms, and processes are in place to meet the security requirements necessary to protect an information resource.

            
User includes anyone who accesses and uses the Old Dominion University information technology resources.