Classifying Memorial's Data
Data stored in electronic or digital systems must be carefully managed and secured to prevent loss or unauthorized release of such data. Information Technology Services (ITS) has specific responsibility for the security of much of Memorial’s confidential and private data and, in order to meet this responsibility, ITS develops defenses with:
- Technology to minimize the possibility of loss
- Training to allow all users to recognize and respond to risks as they arise
- Classification of data so that proper safeguards are applied
ITS' Data Classification Policy is a unit-specific policy applicable to administrative data for which ITS is entrusted with custody. It provides a framework for classifying administrative data according to their level of sensitivity and defining the roles, responsibilities and in some cases the technologies for safeguarding the privacy, security, availability, and integrity of the data.
The Classification Levels
In each case, where data is entrusted to ITS, the unit-specific policy requires that the data steward (i.e. the business unit responsible for the definition and collection of the data) works with ITS as custodian to classify the data as:
- Highly Sensitive
For guidelines on classifying data and examples, click here.
ITS will then build the appropriate protections and safeguards necessary for the data. The unit-specific policy also defines the various roles associated with Data Classification which are:
- Data Owner
- Data Steward
- Data Custodian
As part of ITS' systems and operations processes (SDLC & OPM) a Chart of Authorities (COA) is developed to ensure that all roles and responsibilities are assigned and clear. For a more detailed definition of the various roles, please click here.
The full, unit-specific policy can be found here (.pdf).