Description

This classification level is used for data that is restricted because of legal, ethical, or contractual constraints, and should not be accessed without specific authorization. Improper release of data in this category would have a significant adverse impact to the university. Data in this category is often specifically protected by federal or state law, and may be subject to state or federal breach notification requirements. Data in this category is generally not subject to release under open records laws.
Guidance

Corresponding Texas A&M System Classification: Confidential

The university classification for Confidential data is aligned with Texas Administrative Code §202.74: “Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement”.

Applicability

  • Examples of Confidential data include (but are not limited to):

  • PERSONAL DATA

    • ● Student information covered under the Family Educational Rights and Privacy Act (FERPA) in accordance with SAP 13.02.99.M0.01
      ● Sensitive personal information as defined by Texas Government Code §521.002
      ● Government-issued identification numbers (e.g. SSN, drivers license, passport numbers)

  • HEALTH DATA

    • ● Protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
      ● Personal health records not otherwise covered under HIPAA (e.g., HR records for individuals with disabilities)

  • FINANCIAL DATA

    • ● Individual financial information subject to Gramm-Leach-Bliley Act (GLBA)
      ● Data that falls under the European Union General Data Protection Regulation (GDPR)
      ● Financial records, including account numbers (e.g. bank account numbers, debit or credit card numbers) and tax records

  • RESEARCH DATA

    • ● Export controlled information covered under the International Traffic in Arms Regulation (ITAR) or Export Administration Regulations (EAR)
      ● Human subject data and IRB-controlled research data
      ● Most research data as defined by SAP 15.99.03.M1.03: “the recorded factual material commonly accepted in the scientific community as necessary to validate research findings.”

  • ADMINISTRATIVE DATA

    • ● Records pertaining to information security process and protocols
      ● Authentication credentials or verifiers (e.g. passwords, passphrases, biometric information, private encryption keys, etc)
      ● Research Compliance & Administration records (contracts, grants, IRB documentation)
      ● Recordings or data from surveillance cameras (AVST installations)

Implementation

  • 1

    ACCESS

    • 1.1

      Access to Confidential data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.

    • 1.2

      In accordance with security control SA-4, access to Confidential data must be granted only by explicit authorization. Documentation of that authorization shall be maintained by the Data Steward or a Data Manager.

    • 1.3

      In accordance with security control AC-3, access to Confidential data must be managed, monitored, and logged.

    • 1.4

      In accordance with security controls AU-6 and AU-11, access logs should be available for auditing and review, and retained for a time sufficient to support investigations of information security events.

    • 1.5

      In accordance with security control AC-19, any mobile computing device containing Confidential data must be protected from unauthorized access by passwords or other means.

    • 1.6

      In accordance with security control IA-2, multifactor authentication is required to access Confidential data across the network.

    • 1.7

      In accordance with security control MA-2, any Confidential data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

  • 2

    STORAGE

    • 2.1

      All information resources that store or process confidential information are defined as moderate impact resources at minimum. In accordance with SAP 29.01.03.M0.05, those information resources must reside in a Texas A&M enterprise data center.

    • 2.2

      In accordance with security controls RA-2, AC-19, and SC-13, Confidential data must be encrypted in storage.

    • 2.3

      In accordance with security controls AC-19 and MP-7, any removable computer media containing Confidential data must be encrypted.

    • 2.4

      In accordance with security control MP-6, computer media containing Confidential data must be protected prior to release to a third party.

    • 2.5

      In accordance with security control AC-19, unattended devices containing Confidential data must be kept physically secured.

    • 2.6

      In accordance with security control AC-19, any information resource containing Confidential data must be encrypted, updated, and protected with anti-virus software and a personal firewall—even personally-owned equipment.

    • 2.7

      In accordance with security control CM-3, information resources containing Confidential data must implement a documented change control process

  • 3

    TRANSMISSION

    • 3.1

      In accordance with security controls SC-8 and SC-13, Confidential data must be encrypted in transit.

    • 3.2

      In accordance with security control SC-8 Confidential data transmitted in an email message must be encrypted.

  • 4

    MONITORING

    • 4.1

      In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information systems containing Confidential data must enable effective logging and monitoring of system and security events.

    • 4.2

      In accordance with security control AU-9, security logs must be protected from tampering and unauthorized access.

    • 4.3

      In accordance with security control AU-11, security logs must be retained for a time sufficient to support investigations of information security events.

    • 4.4

      In accordance with security control RA-2, information resources containing Confidential data must use data loss prevention software that is provided and managed by the Technology Services.

  • 5

    INCIDENT REPORTING

    • 5.1

      In accordance with security control IR-6, any known or suspected unauthorized disclosure of Confidential data must be reported to the CISO.

    • 5.2

      In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of Confidential data must be reported to the CISO.

  • 6

    DISPOSAL

    • 6.1

      In accordance with security control MP-6 and MA-2, information resources containing Confidential data must be sanitized prior to disposal or surplus.