Data Classification

Data Classifications

The level of protection required for Data processed, transmitted or stored on Lamont Systems depends upon the sensitivity of the Data in question.  The CU Data Classification Policy defines four classes as follows, from most to least sensitive.  The lists below are the most common examples, for the definitive up to date list, see the Policy at https://universitypolicies.columbia.edu/content/data-classification-policy.

You can review the data classification levels below, and download the LDEO Information Asset Inventory template, and fill out a separate copy for each project or combine it all each group or lab. We recommend to keep a copy of these inventories for yourselves, and/or file a copy with LDEO IT for safe keeping.

Sensitive Data

Sensitive Data is any information protected by federal, state, or local laws and regulations or industry standards.  Sensitive Data include, but are not limited to, Personally Identifiable Information (PII), Protected Health Information (PHI) and Research Health Information (RHI).  Some examples of PII are:

  • Social security number
  • Driver’s licence number, passport number, etc.
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account

PHI include, but is not limited to, any health information, including demographic information about an individual, that includes identifiers such as the following:

  • Name
  • Geographic subdivision smaller than a state
  • Telephone number
  • Email address
  • Biometric identifier, including fingerprint and voice print
  • Any unique identifying number, characteristic, code or combination that allows identification of an individual

Confidential Data

Confidential Data is any information that is protected as confidential by law or by contract, also including any other information deemed confidential by Columbia University.  Confidential Data include, but are not limited to:

  • Unpublished research data
  • Unpublished University financial information, strategic plans and real estate or facility development plans
  • Human Resources information such as salary and employee benefits
  • Information on facilities security systems

Internal Data

Internal Data is any information that is proprietary or produced only for the use of members of the University who have a legitimate purpose to access it.  Internal Data include, but are not limited to:

  • Internal operating procedures and manuals
  • Internal memorandua, emails, etc.

Public Data

Public Data is any information that may or must be made available to the general public, with no legal restrictions on its access or use.  Public Data include, but are not limited to:

  • General access data on www.ldeo.columbia.edu
  • Copyrighted materials that are publicly available

Best Practices

Since systems must be classified based on the most sensitive data stored / accessed / processed by the device, segregating more sensitive data onto separate systems, where possible, is recommended.

For example, segregating data from unpublished research, which must be classified as Confidential Data, onto separate servers by project would allow for the entire server to be reclassified "Public" after publication of the project data.

References

See the CU Data Classification Policy for further details here: https://universitypolicies.columbia.edu/content/data-classification-policy