Bronx

Monroe College's Bronx campus is an ideal urban campus located in the bustling Fordham section.

New Rochelle

Located in downtown New Rochelle, the Monroe College New Rochelle campus is nestled in a diverse, thriving suburban community in Westchester County.

St. Lucia

Located on the Vide Boutielle Highway, Monroe College’s St. Lucia campus offers a practical education designed to give students a competitive edge in the workplace.

  • Data Governance & Classification Policy

    Purpose

    The purpose of this policy is to identify the different types of data and to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the College. 

    Scope

    This policy applies to all faculty, staff and third-party agents of the College as well as any other affiliate who is authorized to access Institutional Data. 

    Data Governance

    Data governance focuses on improving data quality, protecting access to data, establishing business definitions, maintaining metadata and documenting data policies. The College's institutional information is a valuable asset and must be maintained and protected as such. It is vital to have accurate, trusted data in order to make sound decisions at all levels of an organization. Data governance helps to provide data transparency and results in confidence among College faculty, staff and management to trust and rely on data for information and decision support. 

    Governing Institutional Data

    The following principles are set forth as minimum standards to govern the appropriate use and management of institutional data:

    • Institutional data is the property of Monroe College and shall be managed as a key asset
    • Unnecessary duplication of institutional data is discouraged
    • Institutional data shall be protected
    • Institutional data shall be accessible according to defined needs and roles
    • Institutional representatives will be held accountable to their roles and responsibilities
    • Necessary maintenance of institutional data shall be defined
    • Resolution of issues related to institutional data shall follow consistent processes
    • Data stewards are responsible for the subset of data in their charge

    Roles Required to Govern Data

    No one person, department, school or group "owns" data, even though specific units bear some responsibility for certain data. Several roles and responsibilities govern the management of, access to and accountability for institutional data.

    • Technology committee: This committee is comprised of a cross-section of College personnel responsible for functional areas, or major datasets, which is co-chaired by the Chief Financial Officer and Chief Information Officer. While the scope of the committee encompasses all technology components of the College, overall data governance falls under its charter.
    • Data stewards: Data stewards are College business officials (excluding the IT department) who have direct operational-level responsibility for the management of one or more types of institutional data and have the authority to make decisions.
    • Data trustees: Data trustees are defined as institutional officers (e.g., vice presidents and deans) who have authority over policies and procedures regarding business definitions of data and the access and usage of that data within their delegations of authority. Each data trustee appoints data stewards for specific subject area domains.
    • Data custodians: Data custodians are system administrators responsible for the operation and management of systems and servers that collect, manage and provide access to institutional data.
    • Data users: Data users are departments or individual College members who have been granted access to institutional data in order to perform assigned duties or in fulfillment of assigned roles or functions within the College; this access is granted solely for the conduct of College business.

    Supporting policies related to Data Governance and the roles outlined above include Data Classification Policy and Data Classification Guidelines.

    Data Classification

    Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the College should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:

    A. Restricted Data
     

    Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the College or its affiliates. The highest level of security controls should be applied to Restricted data. Restricted data is any data that contains personally identifiable information (PII) concerning any individual, as well as any data that contains PII that is regulated by local, state, or Federal privacy regulations. These regulations may include, but are not limited to:

     

    Family Educational Rights and Privacy Act (FERPA)

    Gramm-Leach-Bliley Act (GLBA)

    Health Insurance Portability and Accountability Act (HIPAA)

    Payment Card Industry Data Security Standards (PCI DSS)

     

    Examples of some of the types of data that are regulated are listed in Appendix A - Restricted Data.

    B. Private Data
      Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data.  A reasonable level of security controls should be applied to Private data. Examples of some of the type of data included are: budgets, contract negotiations, and compensation.
    C. Public Data
      Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the College and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data. Examples of Public data include press releases, course information and any other data Monroe College makes available to the general public.

     

    Default classification of data

    Any data that contains PII concerning any individual or that is covered by local, state, or Federal regulations is classified as restricted data by default. All other data is classified as Private data by default.

    Appendix A - Restricted Data

    Listed below are examples of types of personally identifiable information protected by local, state, or Federal privacy regulations. These examples do not constitute an exhaustive list of all types of information that are protected by local, state, or Federal privacy regulations. 

    Examples:

    • Name
    • Address
    • Telephone number
    • College e-mail address
    • Social security number
    • Credit card and debit card numbers
    • Bank account numbers and routing information
    • Driver’s license numbers and state identification card numbers
    • Student education records
    • Student account files
    • Academic advising records
    • Admission files
    • Transcripts (College, High School)
    • Financial Aid applications, student federal work study information, loan information
    • Intercollegiate Athletics reports
    • Residential Life information
    • Personal health information

    Privacy Regulations Referenced

    FERPA

    FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student’s education record. It also allows schools to publish certain “directory” information about students, unless the student has requested that the school not do so. The penalty for failing to comply with FERPA is loss of all federal funding, including grants and financial aid.

    Additional information is available at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

    GLBA

    GLBA protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected. The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.

    Additional information can be found at http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

    HIPAA

    HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient’s health status, provision of health care, medical records or payment history. Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one year to a ten year prison term, depending on the circumstances. These fines are for the individual, not the institution.

    Additional information can be found at http://www.hhs.gov/ocr/hipaa/

    Payment Card Industry Data Security Standards (PCI DSS)

    PCI DSS is an industry standard which protects credit card customer account data. The PCI DSS standard requires organizations that accept credit cards for payment to utilize a secure network and to adhere to specific procedures and standards to protect credit card data. Failing to comply with PCI DSS can result in significant fines. Credit card providers can fine merchants up to $500,000 per compromise if it is established that the merchant was not complaint at the time at which data was compromised Merchants may also be banned from accepting certain types of credit cards. 

    Additional information is available at https://www.pcisecuritystandards.org/tech/index.htm