Test Classification

Title: Data Classification

Effective Date:

Next Review Date:

Responsible Dept: IT & Systems

This policy will remain in effect until the next version is reviewed and approved.

Reviewed by:

Date:

Executive/Science Administration Group:

Executive Committee:

Board of Trustees:

Verified by:

Purpose
1. This policy is intended to establish a standardized approach to classifying data based on its sensitivity level, facilitating the consistent implementation of appropriate protection measures. Categorizing data into distinct levels according to their potential impact helps to mitigate risks associated with unauthorized access, disclosure, alteration, or loss.
Scope
1. This policy applies to all employees, contractors, vendors, and third-party entities accessing, processing, or managing PNRI data assets. It encompasses data stored in electronic, physical, or any other format, whether it is residing on PNRI grounds or externally hosted.
Referenced Documents
1. None
Definitions
1. Principal of Least Privilege: Also known as a minimum access policy. A security practice that permits individuals to access the least amount of data required to perform their work.
2. Individuals: Any employee, contractor, vendor, collaborator, or third-party entity.
3. Incidents: Known or suspected loss of data security or control.
Policy Statement
1. This policy establishes secure practices for individuals using and managing sensitive data. Access should be assigned using the principle of least privilege, using devices and communication channels appropriate for the sensitivity of the data. The data classification procedure categorizes information into four levels: Public Information, Internal Use Only, Confidential, and Highly Sensitive, each with varying protection requirements. Employees must promptly report any incidents to IT for investigation and documentation. Enhanced requirements may come from agreements with the data’s owner, originator, or compliance laws.
2. Data Handling and Transmission
  1. Guidelines for Secure Data Handling
    1. All individuals must ensure that data is handled with appropriate security to mitigate the risk of unauthorized access or disclosure
    2. Data should only be accessed according to business needs and should not be shared with unauthorized individuals
    3. Individuals should use devices and communication channels with appropriate security for the data classification
  2. Secure Data Transmission Protocols
    1. All data transmissions must be conducted using appropriate protocols and access controls. This may include HTTPS or SFTP protocols over public networks.
    2. Encryption may be required to be used to protect data during transmission, especially when transmitted over public networks
    3. Individuals should avoid sending sensitive data via unsecured channels such as email or instant messaging
3. Data Classification Procedure
  1. Data classification shall be conducted based on the following guidelines:
    1. Level 1: Public Information - Information intended for public consumption and does not pose any risk to the organization if disclosed. Examples: Marketing materials, press releases, and public event schedules. No encryption or access control requirements.
    2. Level 2: Internal Use Only - Information restricted to internal personnel and authorized stakeholders for operational purposes. Examples: Employee directories, non-sensitive correspondence, and internal memos. Encryption is not required, but access control is recommended.
    3. Level 3: Confidential - Sensitive information requiring protection against unauthorized access, disclosure, or alteration. Examples: Lab data (excluding publicly available information), financial records, and intellectual property. Encryption and access control are required.
    4. Level 4: Highly Sensitive - Critical information with severe repercussions if compromised, necessitating the highest level of protection. Examples: Trade secrets, proprietary algorithms, and strategic plans. Encryption required. Access control requirements must be based on individual identity, not group membership.
    5. Enhanced Requirements: Information or data with additional requirements for use and storage beyond the levels described above. These requirements may be driven by regulatory requirements or other agreements with the data owner. A custom data management plan must be developed with IT to fulfill the requirements.
4. Incident Response and Reporting
  1. Reporting Incidents
    1. All individuals must promptly report any suspected or confirmed incidents to IT personnel.
    2. Incidents requiring reporting include but are not limited to unauthorized access, data breaches, malware infections, and suspicious activities involving data assets.
  2. Incident Response Procedures
    1. Upon receiving an incident report, IT personnel will promptly investigate the incident, contain the impact, and mitigate further damage.
    2. Incident response planning should include escalation procedures and communication protocols consistent with data sensitivity and include stakeholders.
  3. Incident Documentation
    1. All security incidents and the corresponding response actions should be documented for analysis, reporting, and improvement of incident response procedures
    2. Documentation should include details such as the nature of the incident, affected data assets, response actions taken, and recommendations for preventing future incidents
Attachments
1. None
Document Maintenance
1. As a document prescribing the accessibility of digital information at PNRI as overseen by IT personnel, this document is subject to the following steps:
  1. Review: This document is to be reviewed by the departmental director. At this stage, changes may be made to the document as needed to create a policy that best reflects the needs and values of the Institute.
  2. Approval: This document must be submitted to the executive committee for approval before its implementation. They may not change the document but may request changes and provide feedback up until the point of approval.
  3. Maintenance: This document should be reviewed and updated as necessary no less than annually. If any changes must be made in the intervening time, the document must be checked out as outlined in ADM-POL-1202 Section 5.4.1.1.2. Following two successful annual reviews, the specified period between reviews may be extended as deemed appropriate by the reviewing parties
Revision History

Version Number

Date

Description of Change

Contributor

1.0

01/27/2025

Initial Creation

Justin Dukes