Description

Public data is the lowest data classification level, and includes data openly available to the public. This may include low-sensitivity data which is openly distributed and presents no risk to the university, such as official university communications and public announcements. Most data hosted on publicly-accessible websites falls into this classification level. Few restrictions are placed on this type of data.
Guidance

Corresponding Texas A&M System Classification: Public

Applicability

  • Examples of Public data include, but are not limited to:

  • PERSONAL DATA

    • ● Public directory information for employees or departments
      ● Directory information for students who have not requested a FERPA block
      ● Intercollegiate sports information (team rosters, schedules, etc)

  • RESEARCH DATA

    • ● Research publications not under embargo

  • ADMINISTRATIVE DATA

    • ● Data intended for distribution on a publically-accessible website
      ● Official university communications and public announcements

Implementation

  • 1

    ACCESS

    • 1.1

      Access to Public data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.

    • 1.2

      In accordance with security control AC-22, individuals authorized to post information onto a publically accessible information resource must be designated by the Data Steward or a Data Manager, and trained to ensure the posted data does not contain nonpublic data.

    • 1.3

      AC-22, data posted to a publically accessible information resource must be reviewed periodically to ensure that nonpublic data is not included, and to remove any nonpublic data if found.

  • 2

    STORAGE

    • 2.1

      For all information resources that store or process Public information, the impact level of the resources should be carefully considered. In accordance with SAP 29.01.03.M0.13, moderate and high impact information resources must reside in a Texas A&M enterprise data center.

    • 2.2

      There are no requirements for the encryption of Public data at rest.

  • 3

    TRANSMISSION

    • 3.1

      There are no requirements for the encryption of Public data in transit.

  • 4

    MONITORING

    • 4.1

      In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information systems containing Public data should enable effective logging and monitoring of system and security events.

  • 5

    INCIDENT REPORTING

    • 5.1

      In accordance with security control IR-6 and IR-8, any known or suspected instance of unauthorized access or use of Public data must be reported to the CISO.

  • 6

    DISPOSAL

    • 6.1

      In accordance with security control MP-6, information resources containing Public data must be sanitized prior to disposal or surplus.