Policy Code: 
GD001
Effective Date: 
Tuesday, June 27, 2017
Revision Number: 
1
Last Reviewed: 
Tuesday, June 27, 2017
Version Control: 
This is a new Guideline

Purpose

To establish a framework for classifying state data based on its level of sensitivity, value and criticality. Classification of data will aid in determining baseline security controls for the protection of data.

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the state should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.  All state data should be classified into one of three sensitivity levels, or classifications:

A. 

Level 3

 

Data should be classified as Level 3 when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the state or its citizens.  Examples of Level 3 data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.  The highest level of security controls should be applied to Level 3 data.

B. 

Level 2

 

Data should be classified as Level 2 when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the state or its citizens.  By default, all State Data that is not explicitly classified as Level 3 or Level 1 data should be treated as Level 2 data.  A reasonable level of security controls should be applied to Level 2 data.

C. 

Level 1

 

Data should be classified as Level 1 when the unauthorized disclosure of that data would result in little or no risk to the state and its citizens.  Examples of Level 1 data include press releases, information about agency services and research publications.  While little or no controls are required to protect the confidentiality of Level 1 data, some level of control is required to prevent unauthorized modification or destruction of Level 1 data.

 

 

Applicability

Level 1

Level 2

Level 3

End user training

n/a

Optional

Required

User access

No authentication required

NDGOV accounts only

NDGOV accounts only, Consider MFA

Stored in ITD Datacenter

Shared storage

Shared storage with authentication

Dedicated storage with authentication, consider encryption

Stored in the Cloud (Request CIO Approval for Specific Solution Requirements)

n/a

Authentication required, consider encryption

Authentication required, must be encrypted

Stored on Portable Electronic Devices (PDAs, Smart Phones, Tablets, USB/SD portable storage devices

n/a

Authentication required, must have remote wipe capabilities

Device must be encrypted, must use MDM solution, must have remote wipe capabilities if applicable

Stored on Laptop Computers

n/a

Authentication required

Laptop must be encrypted

Sent in Email

n/a

Include a disclaimer

Must be encrypted, consider secure FTP

Internal Network Transmission

n/a

Consider encryption

Must be encrypted

External Network Transmission (Wired and Wireless)

n/a

Consider encryption

Must be encrypted

Access from external network

n/a

Must use VPN

Must use MFA VPN

Storage retirement/surplus

n/a

Must be securely wiped

Must be destroyed

Backup and Archival

n/a

Consider Encryption

Must be Encrypted

 

Definitions

MFA – Multi Factor Authentication

VPN – Virtual Private Network

FTP – File Transfer Protocol

MDM – Mobile Device Management

Guidance

North Dakota Attorney General’s Office open records guide -  https://attorneygeneral.nd.gov/open-records-meetings/manuals-and-guides

Drafted By

Data Architecture