Data Classification Policy
Last Updated: December 2, 2020
Introduction
As indicated by the Confidentiality Agreement and PCMR Privacy Policy, any person who stores, transmits, or manages PCMR or customer data has a responsibility to maintain and safeguard such Data.
The first step in establishing the safeguards that are required for a particular type of PCMR Data is to determine the level sensitivity applicable to such Data. Data classification is a method of assigning such levels and thereby determining the extent to which the PCMR Data need to be controlled and secured.
Policy History
The effective date of this Policy is December 2, 2020.
Policy Text
Data security measures must be implemented commensurate with the sensitivity of PCMR Data and the risk to PCMR if such Data is compromised. It is the responsibility of the applicable Data Owner to evaluate and classify PCMR Data for which he/she is responsible according to the classification system adopted by PCMR and described below. If PCMR Data of more than one level of sensitivity exists in the same System or Endpoint, such Data shall be classified at the highest level of sensitivity.
Data Classification
PCMR has adopted the following four classifications of PCMR Data:
1. Sensitive Data: any information protected by federal, state, or local laws and regulations or industry standards, such as HIPPA, FERPA, PCI-DSS, and other similar laws and regulations.
For purposes of this Policy and other Information Security Policies, Sensitive Data include, but are not limited to, Personally Identifiable Information as defined below:
Personally Identifiable Information or PII: any information about an individual that (1) can be used to distinguish or trace an individual's identity, such as name, data and place of birth, mother's maiden name or biometric records, (2) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual and (3) is protected by federal, state or local laws and regulations or industry standards.
2. Confidential Data: any information that is contractually protected as confidential by law or by contract and any other information that is considered by PCMR appropriate for confidential treatment.
For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:
-
Human resources information, such as salary and employee benefits information
-
Non-public personal and financial data about donors
-
Information received under grants and contracts subject to confidentiality requirements
-
Law enforcement or court records and confidential investigation records
-
Citizen or immigrations status
-
Unpublished research data
-
Unpublished financial information, strategic plans and real estate or facility development plans
-
Information on facilities security systems
-
Nonpublic intellectual property, including invention disclosures and patent applications
-
Applicant financial information
3. Internal Data: any information that is proprietary or produced only for use by members of PCMR or the customer who have legitimate purpose to access such data.
For purposes of this Policy and the other Information Security Policies, Internal Data include, but are not limited to:
-
Internal operating procedures and operational manuals
-
Internal memoranda, emails, reports, and other documents
-
Technical documents such as system configurations and floor plans
4. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use.
For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to:
-
General access data on www.pcmrcomputers.com or client's website
-
Documents and reports filed with federal or state governments and generally available to the public
-
Copyrighted materials that are publicly available