Information Sensitivity Policy
The Information Sensitivity Policy is intended to help employees determine what information is allowed to be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of George Fox University without proper authorization.
The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps to protect George Fox University confidential information (e.g., George Fox University confidential information should not be left unattended in conference rooms).
All George Fox University information is categorized into two main classifications:
- Public or directory information
- Protected or regulated confidential information
George Fox University public information has been declared as information accessible to the public by someone with the authority to do so and may be freely distributed without any possible liability to George Fox University or its community.
George Fox University confidential information contains all other information. It is a continuum, in that it is understood that some information is more sensitive than other information and should be protected in a more secure manner. Included is information that should be protected very closely, such as non-directory information protected by federal and state regulations (such as, but not limited to, FERPA, DMA, HIPAA, GLBA, TEACH act). If an employee is uncertain of the sensitivity of a particular piece of information or whether it is appropriate to provide it to an individual or organization, he or she should consult his or her supervisor.
This policy applies to all university-provided devices. Institutional data should not be stored on a personal computer off campus (e.g. home, office). Institutional electronic assets should be accessed via VPN or FoxFiles.
The sensitivity guidelines below provide details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only.
Minimal Sensitivity (Public): General institutional and directory information
- Access: George Fox University employees, students, third-party contractors with a business need to know.
- Distribution within George Fox University: Standard inter office mail, approved electronic mail and electronic file transmission methods.
- Distribution outside of George Fox University internal mail: U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods.
- Electronic distribution: No restrictions except that it be sent to only approved recipients.
- Storage: Keep from view of unauthorized people; erase whiteboards, do not leave items in view on tabletop via counter or windows. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.
- Disposal/Destruction: Deposit outdated paper information in specially marked shred bins on George Fox University premises. Electronic data should be expunged/cleared. Reliably erase or physically destroy media. Contact IT for assistance with your university-issued devices.
- Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.
- Printing: If using a network printer, retrieve the data, and do not print to public printers unless the authorized person is waiting at the printer to receive the data.
Maximum Sensitivity (Confidential): Non-directory information, including student ID
- Access: George Fox University employees and non-employees with signed FERPA policy compliance agreement and with a legitimate educational interest.
- Distribution within George Fox University: Standard interoffice mail, approved electronic mail and secure electronic file transmission methods.
- Distribution outside of George Fox University internal mail: Sent via U.S.mail or approved private carriers.
- Electronic distribution: Should be encrypted or sent via a private link to approved recipients outside of George Fox University premises using FoxFiles. Email is not considered secure.
- Storage: Individual access controls are highly recommended for electronic information.
- Disposal/Destruction: In specially marked shred bins on George Fox University premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.
- Printing: If using a network printer, retrieve the data immediately or have the authorized person available to receive and confirm printing. Do not print documents to public network printers or unattended printers once completed.
Terms and Definition
- Approved Electronic File Transmission Methods
- Includes supported FTP Internal and SFTP external clients and Web browsers.
- Approved E-Mail
- Includes all mail systems supported by the IT Department. E-mail is not encrypted and should not be considered secure.
- Approved Encrypted e-mail and files or attachments
- Includes the use of 'FoxFiles' as the primary method for sharing files or the use of PGP.
- To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data. Contact IT Service Desk for assistance with your university-issued devices.
- Individual Access Controls
- Individual access controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner.
- Secure George Fox University sensitive information in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Follow corporate guidelines on export controls on cryptography, and consult your manager and/or corporate legal services for further guidance.
- One Time Password Authentication
- Physical Security
- Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state. If it is a laptop or other portable computer, never leave it unattended in a car, conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.
- Mobile devices and portable mass storage devices (thumb drives, MP3, etc.)
- These devices are considered non-secure, and institutional data should not be stored on such devices. Because these small devices are easily lost or stolen, they should only be used for temporary data transfer. Files should be removed from the device immediately upon use. See IT Mobile Devices and Portable Mass Storage Policy.
Download the Information Sensitivity Policy. Revised 08/16/2010.