Data Classification

Long Beach City College has adopted the following Data Classification Standard as defined by the California Community Colleges Security Center.

Introduction

Community colleges collect, compile, store, and manipulate data from a variety of sources. In order to apply the appropriate security protocols for safeguarding the data, the college must first classify the data into one of three levels: (1) confidential, (2) internal use, and (3) general. This document describes the three levels of data classification that California community college districts must adopt regarding the level of security placed on the particular types of information assets.

The three levels described below are meant to be illustrative, and the list of examples of the types of data contained below is not exhaustive. When it is unclear how a data set should be classified, the question should be referred to the district’s or college’s official data trustee for final determination.

Please note that this classification standard is not intended to be used to determine the eligibility of requests for information under the California Public Records Act or HEERA. These requests should be analyzed by the appropriate district legal counsel or administrator.

Classification Description: Level 1 – Confidential

Protected Data

Access, storage, and transmissions of Confidential information are subject to restrictions as described in the Asset Management Standard.

Information will be classified as confidential if it meets at least one of the criteria below:

  1. Exposure Poses a Severe Risk
    Confidential data includes information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the college, its students, employees, or business partners. Financial loss, damage to the college’s reputation, and legal action could occur if such information is not properly safeguarded.
  2. Legal Obligation
    Information for which disclosure to persons outside of the institution is strictly governed by State or Federal statutes with the intention to protect the privacy of an individual’s information. California civil codes 1798.29, 1798.82, and 1798.84 requires the district to notify affected parties in the event of a data breach of certain private information.
  3. Other Sensitive Information
    Information deemed by the district or college as highly sensitive, typically reserved solely for use within the college and limited to those employees with a specific need to know.

Examples of Confidential information include but are not limited to:

  • Passwords or credentials that grant access to Confidential and Internal Use data
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, or other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Biometric information
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Personnel records
  • Criminal background check results

Classification Description: Level 2 – Internal Use

Protected Data

Access, storage, and transmissions of Internal Use information is subject to restrictions as described in the Asset Management Standard. Information may be classified as Internal Use if it meets at least one of the criteria below:

  1. Sensitive Nature of Data
    Information that must be protected due to proprietary, ethical, contractual or privacy considerations.
  2. Exposure Poses a Moderate Risk
    Information that may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the college’s reputation, violate an individual’s privacy rights, or subject the institution to legal action.

Examples of Confidential information include but are not limited to:

Identity Validation Keys (name with)

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)

Employee Information

  • Employee net salary
  • Home address
  • Personal telephone numbers
  • Personal email address
  • Payment history
  • Employee evaluations
  • Pre-employment background investigations
  • Mother’s maiden name
  • Race and ethnicity
  • Sexual orientation
  • Parents’ and other family members’ names
  • Birthplace (City, State, Country)
  • Gender
  • Marital status
  • Physical description
  • Other

Student Information — Educational Records not defined as “directory” information as defined in FERPA and AP 5040, typically:

  • Grades
  • Courses taken
  • Schedule
  • Test Scores
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Student photo

Various Identifiers — Educational Records not defined as “directory” information as defined in FERPA and AP 5040, typically:

  • Photo (taken for identification purposes)
  • Library circulation information
  • Trade secrets or intellectual property such as research activities
  • Location of critical or protected assets
  • Licensed software
  • Vulnerability/security information related to a COLLEGE/DISTRICT or system
  • District or college attorney-client communications

Classification Description: Level 3 – General

Information that may be designated by Long Beach Community College District or by State or Federal statute as generally available and/or intended to be provided to the general public.

Disclosure of this information does not expose the college to financial loss or jeopardize the security of the college’s information assets.

Information at this level requires no specific protective measures but may be subject to appropriate review or disclosure procedures at the discretion of the Long Beach Community College District in order to mitigate potential risks.

Post

Protect your password

Administration Regulation 6006 specifically prohibits the sharing of login credentials. Never provide your password to anyone: not your coworker, not your boss, not ITS.

Post

Don’t be a victim of phishing!

Forward all suspicious emails to Report a Phish. No one, not even ITS, should ask for your password or send emails or texts soliciting you to log in with your account. If someone does, they are phishing. If you do give your password to someone, immediately change it in the Viking Portal.