Data Classification - Administrative Examples
Classification Levels
L1 - Information intended and released for public use.
L1 Examples
- Published research
- Course catalogs
- Published faculty and staff information
- Student directory information*
- Basic emergency response plans (life safety)
- University-wide policies
- Harvard publications
- Press releases
- Published marketing materials
- Regulatory and legal filings
- Published annual reports
- Code contributed to Open Source
- Released patents
- Plans of public spaces
* Directory information about students who have requested FERPA blocks must be classified and handled as L3,
at minimum.
L2 - Low Risk Confidential Information that may be shared only within the Harvard community.
L2 Examples
- Department policies and procedures
- Employee web/intranet portals
- Harvard training materials
- Pre-release articles
- Drafts of research papers
- Work papers
- Patent applications
- Grant applications
- Non-public building plans or layouts (excluding L3 or L4 items)
- Information about physical plant (excluding L3 or L4 items)
- Non-sensitive administrative survey data
L3 - Medium Risk Confidential Information intended only for those with a “business need to know.”
Disclosure of this information beyond intended recipients might cause material harm to individuals or the University.
L3 Examples
- Non-directory student information
- Non-published faculty and staff information
- Information protected under FERPA, in general
- HUID tied to an individual
- Personnel records**
- Donor information (excluding L4 data points or special handling)
- Non-public legal work and litigation information
- Budget /financial transactions information
- Non-public financial statements
- Information specified as confidential by vendor contracts and NDAs
- Information specified as confidential by Data Use Agreements
- Security findings or reports (e.g. SSAE16, vulnerability assessment and penetration test results)
- Most Harvard source code
- Non-security technical specifications/architecture schema
- Library/museum object valuations
- IRB records
- Sensitive administrative survey data, such as performance reviews or course feedback, especially if free text response is permitted
**Employees have the right to discuss terms and conditions of their own employment, including salary and benefits, with each other or with third parties.
L4 - High Risk Confidential Information that requires strict controls.
L4 Examples
- Passwords and PINs
- System credentials
- Private encryption keys
- Government issued identifiers (e.g. Social Security Number, Passport number, driver’s license)
- Individually identifiable financial account information (e.g. bank account, credit or debit card numbers)
- Individually identifiable health or medical information***
- Security system procedures and architectures
- Trade secrets
- Systems managing critical Operational Technology
*** Harvard units or programs that qualify as "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) must comply with HIPAA’s data security rules.
L5 - Reserved for Research Data only, as determined by IRB or Data Use Agreement.
L5 Examples
- Research data classified as Level 5 by the IRB
- Information or research under a contract stipulating specific security controls beyond L4
Using the Classification
Know the policy
The full policy and additional resources are at the Security Policy website.
Seek assistance
If you have questions or concerns about the policy, or if you know of items that are out of compliance, please contact your manager or your School Security Officer.
Use good judgment
The lists above are only examples, not definitive classifications.
Print the current handout for reference
General safeguards for all non-public levels
- Share only with those authorized to have access
- Use caution when discussing in public places
- Secure paper-based information in locked desk/office/cabinet when not in use
- Report possible or actual loss immediately to your supervisor or Security Officer
- Never share passwords/PINS with anyone or carry them with the device they unlock!
L2 - L4 Handling
Printing
-
L2
-
Do not leave unattended on copiers/printers
-
-
L3
-
Do not leave unattended on copiers/printers
-
-
L4
- Use badge retrieval for print jobs on an approved Level 4 printer.
Mailing paper-based info
-
L2
- Put in a closed mailing envelope/box and send via Interoffice or US mail.
-
L3
- Put in a sealed envelope/box and send via Interoffice or US mail.
-
L4
- Put in a sealed envelope/box and send via FedEx/UPS/USPS mail with tracking/delivery confirmation where feasible.
Storing electronic files on work or personal computer
This includes portable and non-portable devices
-
L2
-
Computer must meet Harvard security requirements, including device password, anti-virus, current patches, encryption, and remote wiping.
-
-
L3
-
Computer must meet Harvard security requirements, including device password, anti-virus, current patches, encryption, and remote wiping.
-
-
L4
-
Never copy/store L4 data onto your work or personal computer. Data should remain within the secure managed system or encrypted external storage media.
-
Storing files on external portable storage media
-
L2
- No specific requirements
-
L3
- USB stick, CD/DVD, back-up tape, etc. must be encrypted and password protected.
-
L4
- USB stick, CD/DVD, back-up tape, etc. must be encrypted and password protected.
Sharing data/files with authorized individuals
-
L2
- Use approved collaboration tools and share with specific individuals, not anonymous or guest links.
-
L3
-
Use approved collaboration tools and share with specific individuals, not anonymous or guest links.
-
-
L4
-
Use approved collaboration tools or network locations to share files with named individuals.
-
Sending data/files to authorized individuals
-
L2
- Use email and send only to those authorized to view it.
-
L3
- Encrypt when transmitting data both internally and externally: Use a School-supported Secure File Transfer method (e.g. OneDrive, Accellion). On website forms, use HTTPS.
-
L4
- Encrypt when transmitting data both internally and externally: Use a School-supported Secure File Transfer method (e.g. L4 SharePoint, Accellion). On website forms, use HTTPS.
Engaging vendors to store/process data
-
L2
- Written contracts are strongly recommended for vendors/other third parties who collect, process, host, or store non-sensitive, non-public university data.
L3
- Ensure vendor/hosting agreement includes appropriate security requirements.
-
L4
- Engage Information Security for a vendor risk assessment and include Harvard’s Personal Data Protection rider in the vendor/hosting agreement.
Secure disposal
How to delete electronic files
- L1-L3: Use standard Delete/“X” commands and empty trash bin
- L4: Use a secure overwrite or removal tool (e.g. Spirion/Identity Finder)
How to dispose/recycle paper
- L1 Only: Use single-stream/commingled recycling program
- L2-L4: Paper must be put through a cross-cut shredder prior to recycling
How to dispose of devices and/or prepare them for recycling or upgrade
- Contact local IT Support for pick-up or drop-off: they will remove data and recycle
- Shred CD/DVD at provided shredders or contact local IT Support
- Enter incorrect passwords until device reformats itself or select Reset in Settings