Back to Top

Purpose

Anne Arundel Community College (“College”) exchanges data between employees, students, prospective students, and third parties as a requirement of the educational institution. The College recognizes the importance of understanding what data is being shared, who has access to it and how that data should be protected, in storage and in transit. This Data Classification and Encryption Information Technology Requirement (ITR) establishes a framework for categorizing data based on its sensitivity, value, and criticality, so that confidential data can be secured appropriately.

Scope

This ITR applies to all data held by the College in any form, including paper documents and digital data stored on any type of media. It applies to all the College’s employees, as well as to third parties authorized to access the data. This ITR applies whether data is stored on the College premises or elsewhere.

This ITR applies to Anne Arundel Community College’s data, and Data Users who access it. The College uses or has access to data that is considered Confidential, data governed by the Family Educational Rights and Privacy Act (FERPA), “Financial” data of a person or the College, Instructional data, and General data.

Definitions

  1. Confidential Information - Consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk of criminal or civil liability, or damage the person or entity's financial standing, employability, privacy, or reputation.
  2. Personally Identifiable Information (PII) - Any name or number that may be used, alone or in conjunction with any other information to identify a specific individual.
  3. Financial – General - Use this sensitivity label if the document or email contains financial data, either for a person or for the college. The document or email will be encrypted. All Data Users can use this sensitivity label.
  4. Instructional - This sensitivity label designates documents that are used for instructional purposes. The document is not encrypted. All Data Users can use this sensitivity label.

Data Categorization and Encryption Requirements

  1. Users will comply with all laws (federal, state, local and other applicable laws, licenses), college policies and procedures.
  2. IIT will develop processes and guidelines for data categorization.
  3. IIT will develop processes and guidelines for data encryption.
  4. IIT will utilize automated processes or guidelines for Data Categorization for files and emails, as practicable. Manual application of Data Categorization will not be mandatory.
  5. AACC issued laptops and other mobile devices will be full disk encrypted, as available on the device and operating system.
  6. Confidential Information will be encrypted at rest and in transit (including USB drives and removable media that contains Confidential data).

Compliance and Enforcement

  1. The College will verify compliance with this ITR through annual audit reports made to the VP of Information and Instruction Technology Division, or designee.
  2. Any discovery of non-compliance with this ITR must be brought to the attention of the VP of Information and Instructional Technology Division, or designee.
  3. Any Employee, Contractor, or other third-party performing duties on behalf of the College who violates this ITR may be denied access to Information Technology Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

Exemptions

Exceptions should be submitted to the Vice President for Information and Instructional Technology Division for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved. 

Contingencies

None

Review Process

Information Technology Requirements will be reviewed every 12 months, or sooner if required. Guidelines and Processes will be reviewed every 24 months, or sooner if required.

Guideline Title: Data Classification and Encryption Information Technology Requirement

Guideline Owner: Vice President for Information and Instructional Technology

Guideline Administrator: Director, Information Security

Contact Information: John Williams, [email protected]

Approval Date: January 8, 2024

Effective Date: January 8, 2024

History: Adopted July 15, 2023

Applies to: Faculty, Staff, and Students

Related Policies: N/A

Related Procedures: N/A

Related Guidelines: Data Classification and Encryption

Forms: N/A

Relevant Laws:

  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • S. Code of Federal Regulations, Title 16, Chapter I, Subchapter F, Part 681 – Identity Theft Rules (a.k.a., “Red Flags” Rules)
  • Maryland State Government Code, Title 10 – Governmental Procedures, Subtitle 13A – Protection of Personally Identifiable Information by Public Institutions of Higher Education, Sections 01 through 04 (formerly Maryland House Bill 1122)
  • Gramm-Leach-Bliley Act (GLBA)
  • Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Sarbanes-Oxley Act (SOX)
  • S. Patriot / Freedom Act
  • Social Security Number Privacy Act
  • Payment Card Industry Data Security Standard (PCI-DSS)