BDS Solutions: Data Classification Policy

Data Classification

Data is information generated by or for, owned by, or otherwise in the possession of Microsoft’s or BDS Connected Solutions, LLC that is related to BDS Solutions' activities. BDS Connected Solutions, LLC Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, social media, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of Microsoft or BDS Solutions.

In order to effectively secure BDS Solutions Data, we must have a vocabulary that we can use to describe the data and quantify the amount of protection required. This policy defines four categories into which all BDSD Solutions Data can be divided:

Public
Business
Confidential
Restricted Use

BDS Solutions Data that is classified as Public may be disclosed to any person regardless of their affiliation with BDS Solutions. All other BDS Solutions Data is considered Sensitive Information and must be protected appropriately. This document provides definitions for and examples of each of the four categories. Other policies within the Data Protection Standards specify the security controls that are required for each category of data.

The various units and departments at BDS Solutions have a multitude of types of documents and data. To the extent particular documents or data types are not explicitly addressed within this policy, each business unit or department should classify its data by considering the potential for harm to individuals or BDS Solutions in the event of unintended disclosure, modification, or loss. The Departmental Security Administrator may assist with the classification process and coordinate with the Information Security Team to achieve consistency across BDS Solutions. When classifying data, each department should weigh the risk created by an unintended disclosure, modification, or loss against the need to encourage open discussion, improve efficiency and further the BDS Solutions' goals of the creation and dissemination of knowledge. Departments should be particularly mindful to protect sensitive personal information, such as Social Security Numbers, drivers’ license numbers and financial account numbers, disclosure of which may create the risk of identity theft.

Some information could be classified differently at different times. For example, information that was once considered to be confidential data may become Public data once it has been appropriately disclosed. Everyone with access to BDS Solutions Data should exercise good judgment in handling sensitive information and seek guidance from management as needed.

Scope

This classification scheme is to be applied to all BDS Solutions Data, both physical and electronic, throughout BDS Solutions. No data item is too small to be classified.

Classification Levels

Public

Public data is information that may be disclosed to any person regardless of their affiliation with the BDS Solutions. The Public classification applies to data that is either personal, not related to any business work, or made available to the general public. While it may be necessary to protect original (source) documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the BDS Solutions community and no steps need be taken to prevent its distribution.

Examples of Public data include: press releases, directory information (not subject to a FERPA block), course catalogs, application and request forms, and other general information that is openly shared. The type of information a department would choose to post on its website is a good example of Public data.

Business

Business data is information that is potentially sensitive and is not intended to be shared with the public. Business data generally should not be disclosed outside of BDS Solutions without the permission of the person or group that created the data. The Business classification is for information that does NOT contain regulated information (e.g., social security number, bank account numbers, credit cards, etc.) and can be used by all users and shared externally with approved business partners. It is the responsibility of the data owner to designate information as Business where appropriate. If you have questions about whether information is Internal or how to treat internal data, you should talk to your manager or IT Department.

Examples of Internal data include: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain private.

Confidential

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of Microsoft or BDS Solutions. This classification also includes data that BDS Solutions is required to keep confidential, either by law or under a confidentiality agreement with a third party, such as a vendor or client. This information should be protected against unauthorized disclosure or modification. Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.

Any unauthorized disclosure or loss of Confidential data must be reported to the appropriate operations manager or department head. The operations manager or department head should determine whether to report the unauthorized disclosure or loss of Confidential data to the Incident Response Team at .

Examples of Confidential data include:

Personally-identifiable information entrusted to BDS Solutions care that is not Restricted Use data, such as information regarding clients, vendors, etc.
Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
Microsoft or BDS Solutions ID Numbers (Including but not limited to EmployeeID, AssociateID, PersonID, etc.), when stored with other identifiable information such as name or e-mail address.
Information covered by regulatory laws such as CCPA, HIPAA, GDPR (where applicable), which requires protection of certain financial, health, and/or personal records.
Legally privileged information or information that is the subject of a confidentiality agreement.

Restricted Use

Restricted Use data includes any information that BDS Solutions has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require BDS Solutions to notify the affected individual, client, vendor and state or federal authorities. In some cases, modification of the data would require informing the affected individual.

BDS Solutions' obligations will depend on the particular data and the relevant contract or laws. The Minimum Security Standards sets a baseline for all Restricted Use data. Systems and processes protecting the following types of data need to meet that baseline:

Personally identifiable health information that is not subject to HIPAA but used in research, such as Human Subjects Data, where so designated by the Institutional Review Board (IRB).
Personally Identifiable Information (PII) covered under data privacy laws and regulations, including an individual’s name plus the individual’s Social Security Number, driver’s license number, or a financial account number.
Unencrypted data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
“Criminal Background Data” that might be collected as part of an application form or a background check.

More stringent requirements exist for some types of Restricted Use data. Individuals working with the following types of data must follow BDS Solutions policies governing those types of data and consult with Information Security to ensure they meet all of the requirements of their data type:

Protected Health Information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protection of medical records and patient data. See the HIPAA Policy for details.
Financial account numbers covered by the Payment Card Industry Data Security Standard (PCI-DSS), which controls how credit card information is accepted, used, and stored.
Controlled Unclassified Information required to be compliant with NIST 800.171
Data controlled by U.S. Export Control Law such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional requirements. See the Export Controls site for details.
S. Government Classified Data

Restricted Use data should be used only when no alternative exists and must be carefully protected. Any unauthorized disclosure, unauthorized modification, or loss of Restricted Use data must be reported to the Microsoft or BDS Solutions Incident Response Team at <incident@bdssolutions.com>.