Policy 7 - Information Sensitivity Policy

1.0 Purpose
The Information Sensitivity Policy is intended to help employees in determining appropriate technical security measures which are available for electronic information deemed sensitive. The information covered in this policy includes electronic information stored on computers, e-mails, information on computer screens, and information shared orally or visually (such as cellular telephone and video conferencing). While this policy gives a general overview of the handling of sensitive information, users must be aware of additional Information Technology Policies that may enforce more specific requirements. Questions about the proper classification of a specific piece of information should be addressed to your manager. Any questions or comments about this policy should be directed to Information Systems.

2.0 Scope
Offices across campus deal with a wide range of electronic information covering a wide range of topics. It is the responsibility of each employee and department which handles electronic information to be familiar with the types of information being handled, any legal requirements which surround the information, the level of sensitivity which should be attached to the information, and the available technologies for protecting that information.

3.0 Policy
The Sensitivity Guidelines below provide details on how to protect information at varying sensitivity levels. The sensitivity level to be assigned to electronic information may be assigned by any area which handles the information.

3.1 Minimal Sensitivity
Electronic distribution: Approved electronic mail and electronic file transmission methods to only approved recipients.
Encryption: Not required
Storage: Keep from view of unauthorized individuals; machines should be administered with security in mind. Electronic information should have individual access controls where possible and appropriate.
Disposal/Destruction: If destruction is allowed by the Record Retention Policy, electronic data should be disposed of according to the Data Sanitation Policy.

3.2 More Sensitive
Electronic distribution: Approved electronic mail and electronic file transmission methods to only approved recipients. Should be encrypted, consistent with the Acceptable Encryption Policy, or sent via a private link to approved recipients.
Encryption: Recommended, consistent with the Acceptable Encryption Policy.
Storage: Individual access controls are highly recommended for electronic information.
Disposal/Destruction: If destruction is allowed by the Record Retention Policy, electronic data should be disposed of according to the Data Sanitation Policy.

3.3 Most Sensitive
Electronic distribution: Approved electronic file transmission methods. Must be strongly encrypted, consistent with the Acceptable Encryption Policy.
Encryption: Required, consistent with the Acceptable Encryption Policy.
Storage: Individual access controls are required for electronic information. Physical security is generally used, and information should be stored on a physically secured computer.
Disposal/Destruction: If destruction is allowed by the Record Retention Policy, electronic data should be disposed of according to the Data Sanitation Policy.

4.0 Enforcement
Anyone found to have violated this policy may be subject to disciplinary action, up to and including suspension of access to technology resources or termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with Murray State University.

5.0 Definitions
Approved Electronic File Transmission Methods
Includes supported SFTP clients, SSH sessions, VPN tunnels, and HTTPS.

Approved Electronic Mail
Includes all mail systems supported by the MSU Information Systems Department. If you have a business need to use other mailers, contact the MSU Information Systems Department.

Individual Access Controls
Individual Access Controls are methods of electronically protecting files from being accessed by individuals other than those specifically authorized. On most operating systems this is referred to as file permissions.

Encryption
Encryption is a procedure used to convert data from its original form to a format that is unreadable and/or unusable to anyone without the tools/information needed to reverse the encryption process.