Information and Technology

Data Classification Guidelines

Bowdoin is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic culture.

Supporting an open, information-sharing environment is driven by the academic mission which requires the ability to share information and ideas and to collaborate on the creation of knowledge.  Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements.

For further information see Bowdoin College's Data Classification Policy.

Legal

There are laws, both federal (HIPPA, FERPA, etc) and state (privacy), that affect the level of protection Bowdoin is required to provide.  Bowdoin also has contractual relationships around the protection of data which is licensed from other sources.

Academic

Bowdoin produces and owns intellectual capital which needs to be protected against premature disclosure or unauthorized tampering.

Other Business Requirements

As part of its fundamental mission, Bowdoin wants to make sure that information systems are widely available, however it also wants to keep private things private.  More importantly, in addition to direct costs and related damage control, Bowdoin's reputation is something that, if damaged, can have both direct and indirect negative effects.

Classification of Assets

Information resources are considered to be assets of the college.  They are classified according to the risks associated with the data being stored or processed.  Data with the highest risk needs the greatest amount of protection to prevent compromise.  Data at lower risk can be give proportionately less protection. 

Three levels of data classification have been defined; restricted is the highest level (requiring the most protection), public is the lowest level defined (requiring the least protection).  The  Data Classification Table can help determine the appropriate category of any particular data collection.

Data is often kept in collection called databases.  In the design of most systems, more sensitive data elements of a collection are not usually segregated from less sensitive elements.  Therefore, in determining the classification category, it is the most sensitive data element in the collection that determines the classification category for the entire collection.

The Restricted Data Matrix specifies data elements belonging to the restricted data class.  Additionally, it indicates which privacy law applies to the data.