APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCE(S): Board Policy (BP) 6-10, Cyber Security Policy
/ Joe Garcia /
Joseph A. Garcia
This procedure documents the requirements by which the Colorado Community College System and its Colleges (“CCCS”) classify information, including the handling and protection of that information, regardless of media type.
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Assets, owned or leased by CCCS.
Personally Identifiable Information (PII)
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
Data shall be consistently protected along its lifecycle (creation to disposal) according to its level of sensitivity, criticality, and business “need to know.” Data owned, received, used, created, or maintained by CCCS shall be classified into the following three categories:
Examples of data that falls into each of the above classifications are included in Appendix A to this procedure.
CCCS data, regardless of media, shall be handled in accordance with applicable laws and regulations. In addition, CCCS will provide safe and secure methods of handling data to prevent the inadvertent or malicious disclosure of Sensitive or Restricted information.
Sensitive or Restricted information may not be stored on removable media. Removable media includes flash memory devices such as thumb drives, cameras, MP3 players and PDAs; removable hard drives (including hard drive-based MP3 players); and optical disks such as CD and DVD disks.
CCCS shall deploy encryption solutions on Information Systems that store or transmit Sensitive or Restricted information.
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.
Student ID numbers
|Non-public policies||Marketing materials for public consumption|
|Student||Driver’s license, passport, credit card or banking information, Individual grades, academic transcript, class schedule, advising notes||Student name, Major, Degree
Student Directory Information under the Family Educational Rights and Privacy Act (FERPA) and SP 4-80a,
Address, Phone numbers, date of birth
|Human Resources||I-9 Form data; Payroll direct deposit account number||Employee home address,
Employee offer letters,
other personnel information, employee compensation
|Employee name, General employee benefit plans
|Health||Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA)|
|Facilities||Detailed floor plans showing gas, water, sprinkler shut-offs, hazardous materials||Campus map showing buildings, names, addresses, parking, lighted pathways, emergency phones, etc.|