Marist College Standard for Information Classification
This Policy applies to all College information resources, including those used by the College under license or contract. "Information resources" include information in any form and recorded on any media, and all computer and communications equipment and software.
All information covered by this Policy is assigned one of three classifications depending on the level of security required. In decreasing order of sensitivity, these classifications are Confidential, Internal-use-only, and Unrestricted. Information that is either Confidential or Internal-use-only is also considered to be Restricted.
- Confidential information. This classification covers sensitive information
about individuals, including information identified in the Human Resources
Manual, and sensitive information about the College. Information receiving
this classification requires a high level of protection against
unauthorized disclosure, modification, destruction, and use. Specific
categories of confidential information include information about:
- Current and former students
(whose education records are protected under the Family Educational
Rights and Privacy Act (FERPA) of 1974), including student academic,
disciplinary, and financial records; and prospective students, including
information submitted by student applicants to the College.
- Library patrons, and donors
and potential donors.
- Current, former, and
prospective employees, including employment, pay, benefits data, and
other personnel information.
- Research, including
information related to a forthcoming or pending patent application, and
information related to human subjects. Patent applications must be filed
within one year of a public disclosure (i.e., an enabling publication or
presentation, sale, or dissemination of product reduced to practice,
etc.) to preserve United States patent rights. To preserve foreign patent
rights, patent applications must be filed prior to public disclosure.
Therefore, it is strongly recommended that prior to any public
disclosure, an Invention Disclosure Form be submitted to the Office of
Technology Transfer for evaluation of the technology and determination of
whether to file a patent application, thereby preserving U.S. and foreign
patent rights.
- Certain College business
operations, finances, legal matters, or other operations of a
particularly sensitive nature.
- Information security data,
including passwords.
- Information about
security-related incidents.
- Internal-use-only. This
classification covers information that requires protection against
unauthorized disclosure, modification, destruction, and use, but the
sensitivity of the information is less than that for Confidential
information. Examples of Internal-use-only information are internal memos,
correspondence, and other documents whose distribution is limited as
intended by the steward.
- Unrestricted information. This classification covers information that can be
disclosed to any person inside or outside the College. Although security mechanisms
are not needed to control disclosure and dissemination, they are still
required to protect against unauthorized modification and destruction of
information.
- Default classification. Information
that is not classified explicitly is classified by default as follows:
Information falling into one of the Confidentiality categories listed
above is treated as Confidential. Other information is treated as
Internal-use-only unless it is published (publicly displayed in any
medium) by the Steward, in which case it is classified Unrestricted.