• Search
• Home  |  SDSURF Directory

• Find Funding

  • Communications
  • FIPS
  • Focus on Funding
  • Proposal Submission
  • Related Links
  • SMARTS
  • SPIN
  • Sponsored Research Development
  • Workshops

• Manage Funds

  • Forms
  • PaymentNET
  • PCard Program
  • P I Profile
  • Project Administration Guide
  • Sponsored Research Administration

• Departments

  • Accounts Payable
  • Communications
  • Computing Services
  • Facilities Planning & Management
  • Finance & Accounting
  • Human Resources
  • Payroll
  • Purchasing
  • Risk Management
  • Sponsored Research Administration
  • Sponsored Research Contracting and Compliance
  • Sponsored Research Development
  • Technology Transfer Office
  • SDSURF Directory

• E-Systems

  • Email - Web Access
  • Employee Gateway
  • FileX
  • FIPS
  • InfoEd
  • My Service Desk
  • Online Recruitment System (ORS)
  • PaymentNET
  • P I Profile
  • SMARTS
  • SPIN

• About Us

  • About Us
  • Board of Directors
  • Electronic News & Notices
  • Graphic Identity System
  • Organization Charts
  • Property Locations
  • Requests for Information
  • SDSURF Directory

SDSURF › Human Resources › Annual Policy Notification Summary › Data Classification and Handling Policies

Data Classification and Handling Policies

Information Classification Standard

SDSU Research Foundation has adopted the draft CSU Data Classification and SDSU Information Classification Standards as a minimum information classification standard. These standards outline three levels of classification and standards (Protected Level 1, 2 and 3) to which information must be secured. Along with these standards, the following guidelines and policies have been established by SDSU Research Foundation to assist in reducing exposure to information and data loss.

Information security is essential whether information is conveyed electronically, over the phone or in written documents, whether it is acquired, transmitted, processed, transferred and/or maintained by SDSURF.

All SDSU Research Foundation staff, PIs, project directors and entities working on behalf of SDSURF are subject to these guidelines and policies, and to SDSU Information Security policies and procedures, including periodic Security Awareness Orientation training.

Protected Level 1 Data / Confidential

Protected Level 1 information is information primarily protected by statutes, regulation, other legal obligation or mandate. The CSU and SDSU have identified standards regarding the disclosure of this type of information to parties outside the Research Foundation and controls needed to protect the unauthorized access, modification, transmission, storage or other use. Level 1 Confidential information is intended for use by SDSURF and access is limited to those with a “business need-to-know.” Included in this level are:

• Passwords or credentials
• PINs (Personal Identification Numbers)
• Credit/debit/payment card numbers with any of the following:
  • cardholder name
  • expiration date
  • card verification code
• Social Security number or Tax ID with name
• Birthdate with name and last four digits of social security number
• Driver’s license number, state identification card, and other forms of international identification (such as passports, visas, etc.) with name or social security number
• Name with bank account information or bank account information with password, security code or any other access code information
• Private key (digital certificate)
• Health insurance information
• Medical records related to an individual (including disability information)
• Psychological counseling records related to an individual
• Electronic or digitized signatures
• Employee name with personally identifiable employee information:
  • Mother’s maiden name
  • Race and ethnicity
  • Gender
  • Birthplace (city, state, country)
  • Employee net salary
  • Marital status
  • Physical description/personal characteristics
  • Employment history (including recruiting information)
  • Biometric information
  • Electronic or digitized signatures
  • Parents and other family member names

Protected Level 2 Data / Internal Use

Protected level 2 information must be guarded due to proprietary, ethical or privacy considerations. The final authorities for approving departmental procedures for the use, storage and dissemination of protected level 2 information are listed in Table 3-2. University standards will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use of:

• Student name with personally identifiable educational records
  • Birth date (full: mm-dd-yyyy or partial: mm-dd only)
  • Courses taken
  • Schedule
  • Test scores
  • Financial aid received
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Photograph
  • Most recent educational agency or institution attended
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic team
  • Grades
  • SDSU identification number (RedID)
  • Race & Ethnicity
  • Gender
  • Transcripts
  • E-mail addresses
• Employee name with personally identifiable employee information
  • Birth date (full: mm-dd-yyyy or mm-dd)
  • Emergency contact home address
  • Emergency contact personal telephone number
  • Emergency personal contact information (name, cell phone, pager)
  • Personal telephone numbers
  • Personal vehicle information
  • Personal email address
  • Parents and other family member names
  • Payment history
  • Employee evaluations
  • Background investigations
  • Photograph (voluntary for public display)
• Other
  • Legal investigations conducted by the Research Foundation
  • Sealed bids
  • Trade secrets or intellectual property such as research activities
  • Location of highly sensitive or critical assets (e.g. safes, check stocks, etc.)
  • Library circulation information
  • Vulnerability or incident information
  • Licensed software
  • Attorney/client communications
  • Third party proprietary information per contractual

Protected Level 3 Data / Generally Regarded as Publicly Available

Protected level 3 is information that is regarded as publicly available. This information is either explicitly defined as public information (such as state employee salary ranges), intended to be available to individuals both on-campus and off-campus (such as employee work email addresses), or not specifically classified elsewhere in the protected information classification standard. Publicly available information may still be subject to Research Foundation review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

• Student information designated as Educational Directory Information (excluding grades):
  • Student name
  • Major field of study
  • Dates of attendance
  • Degrees, honors and awards received
• Employee Information (including student employment)
  • Employee title
  • Employee name (first, middle, last; except when associated with protected information)
  • Enrollment status
  • Department employed
  • Work location and telephone number
  • Work e-mail address
  • Employee classification
  • Status as student (such as TA, GA, ISA)
  • Employee gross salary
  • Signature (non-electronic)
  • SDSU identification number (RedID)

Where several categories apply, use the highest level of security, that is, use Level 1 versus Level 2 and so on. Questions about the proper classification of a specific piece of information should be addressed to your manager.

Non-Foundation (personal) information (both electronic and non-electronic), such as personal credit reports, personal bank statements, or even contact information from a synchronized cell phone or PDA should not be stored on SDSURF systems as SDSURF does not assume responsibility for securing this information and many systems may not be secured for this information by default. Personal information does not just pertain to first party personal information (yours), but also to any third party personal information (someone else’s).

The full information on the Information Classification Standard is available in the San Diego State University Information Security Plan, Section 3.0.

Information Labeling Guidelines

Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words "Protected Level 1 (PL1)” , “Confidential”, “Protected Level 2 (PL)” or “Internal Use” may be written or designated in a conspicuous place on or in the information in question. Other labels identifying the data classification may be used at the discretion of individual business units or departments.

If no marking is present, SDSURF information is presumed to be "SDSURF Confidential" unless expressly determined to be SDSURF Public information by a SDSURF employee with authority to do so.

Information Handling Guidelines

The following guidelines are presented to assist PI’s, project directors, employees and vendors working with SDSURF secure information. The final authorities for approved procedures are documented in Table 3-2 Approvers for Protected Information Procedures in the San Diego State University Information Security Plan.

Procedures for Handling Protected Level Information

• Transmitted via FAX
• Transmitted Outside of SDSU Network (includes remote access)
• Transmitted in Internal SDSU Network
• Included in email content
• Permanently Stored on Desktop Computer (should be accessed via secure file server)
• Stored on Personally Owned Equipment or at Personal Home
• Stored on Mobile Devices
• Stored on Server
• Left Unattended in Work Area
• Paper Disposal
• Electronic Media Disposal
• Document, Container and Media Labeling
• Left on Voice Message
• Sent Through Campus Mail
• Sent Through Postal / Common Carrier Mail

Adopted November 2009

SDSU Research Foundation
5250 Campanile Drive
San Diego, California 92182

©2007