Information Classification Standard

The purpose of this document is to define the baseline standard for data classification at CSU Monterey Bay.

Comments or feedback on this standard should be directed to The Office of the Chief Information Officer at (831) 582-4700.

Scope

This documents applies to all information/data owned or maintained by CSUMB, its auxiliaries, or employees.

Classification Description: Level 1 - Confidential 

Information classified as confidential includes but is not limited to:

Personal Information

  • Social Security number and name
  • Birth date combined with last four digits of SSN and name
  • Passwords or credentials
  • Notice-triggering Personal Information
  • Biometric Information
  • Electronic or digitized signatures
  • Psychological counsel records
  • Forms of national or international identification (such as passports, visas, etc.), in combination with name
  • Private key (digital certificate)
  • Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name

Cardholder Data

Financial Information

  • Bank account or debt card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Protected Health Information

Medical Information

  • Psychological Counseling records related to an individual
  • Medical records related to an individual

Health Insurance Information

Technical Security Information

  • Vulnerability/security information related to campus systems or services

Law Enforcement Information

  • Law enforcement records related to an individual

Library Patron Information

  • Library database for faculty, staff, students and community borrowers which may contain:
  • Home address
  • Home phone
  • Social Security numbers

Legal Information

  • Legal investigations conducted by the University
  • Attorney/Client communications

Contract Information

  • Sealed bids
  • Third party proprietary information per contractual agreement

Classification description: Level 2 - Internal use

Internal Use information includes but not limited to:

Identity Validation Keys

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)

Student/Alumni Information

  • Educational records (excludes directory information)
  • Grades
  • Courses taken
  • Schedule
  • Test Scores
  • Advising records
  • Educational services received
  • Disciplinary actions

Employee Information

  • Net salary
  • Employment history
  • Home address
  • Personal telephone numbers
  • Personal email address
  • Parents and other family members names
  • Payment history
  • Performance evaluations
  • Background investigations
  • Mother’s maiden name
  • Birthplace (City, State, country)
  • Race and Ethnicity
  • Gender
  • Marital Status
  • Physical description
  • Photograph

Alumni Information

  • Same as Employee Information

Job Applicant Information

  • Same as Employee Information

University Donor Information

  • Same as Employee Information

University Research

  • Same as Employee Information

Library Patron Information

  • Information which links a library patron with a specific subject the patron has accessed or requested

Other

  • Location of critical or protected assets
  • Licensed software

Classification description: Level 3 - Public

Public Information includes but not limited to:

Campus Identification Keys

  • Campus identification number
  • User ID (do not list in a public or an aggregate list when it is not the same as the student email address)

Student Information

  • Educational directory information (FERPA)
  • Name
  • E-mail address
  • Major field of study
  • Degrees, honors and awards received
  • Participation in officially recognized activities and sports
  • Height and weight statistics of NCAA student athletes

Directory information may be released without prior written approval unless notified in writing by the student that all information is to be held in confidence by the university. Requests to hold directory information in confidence should be sent in writing to the Vice President of Student Affairs & Enrollment Services, Student Services Building. The student’s records shall be kept confidential until the student requests in writing that the confidentiality hold be removed.

Addresses and telephone numbers for currently enrolled students will be released to CSUMB personnel and units solely for the purpose of conducting legitimate University business. They may not be shared with individuals or organizations outside the University except in accordance with the provisions immediately below.

Addresses and telephone numbers may be released for non-commercial use by individuals or organizations outside the University provided the request for such information has been reviewed and approved by the appropriate University personnel. Requests from the academic offices of accredited educational institutions shall be reviewed by the Provost and Vice President for Academic Affairs or designee. All other requests shall be reviewed by the Vice President for Student Affairs or designee.

In addition to the above, the Director of Athletics may provide information concerning participation of students in athletic events including the height and weight of athletes.

Employee Information (including student employees)

  • Title
  • Status as a student employee (such as TA, GA, ISA)
  • Campus e-mail address
  • Work location and telephone number
  • Employing department
  • Position classification
  • Gross salary
  • Name (first, middle, last)(except when associated with confidential information)
  • Signature

Revision Control

These classifications will be subject to revision in response to changes in technology, regulatory compliance, and/or CSUMB operational initiatives.