蹤獲扦

 

 

Morrison Hall

Data Labeling Guide

What is Document Labeling? 

 
Document labeling is the process of attaching metadata or tags to documents or email to signify their sensitivity level, classification, or purpose. These labels provide important information about the document's content, allowing users and systems to understand its significance and handle it appropriately.  

Labels can indicate various attributes of a document, such as its confidentiality level, regulatory compliance requirements, data retention policies, or sharing permissions.  

 

 

Why should documents be labeled? 

Governance: 

By applying consistent labels, 蹤獲扦 can gain insight into what type of data we possess, how it is used and where it is stored. This will help stakeholders make decisions about data handling, access controls and data lifecycle management. 

Risk: 

Labeling helps identify and prioritize sensitive information for protection and access control. Limiting unauthorized access and assisting with data loss prevention. 

Compliance: 

Document labeling supports compliance efforts by ensuring that sensitive information is handled in accordance with applicable laws, regulations and standards such as FERPA, HIPPA, ITAR, PCI-DSS  among others. 

Technical Requirements 

  • 蹤獲扦 connected device or application (i.e. Outlook for mobile) 
  • Microsoft Office 2019 or later 

蹤獲扦 Data Policy

蹤獲扦Sensitivity Markings 

蹤獲扦 PUBLIC 

蹤獲扦 Public Data generally has a very low sensitivity, but it still warrants protection since the integrity and protection of the data can be important. 蹤獲扦 Public Data is explicitly or implicitly approved for distribution to the public without restriction. Examples of 蹤獲扦 Public Data include, but are not limited to, the following:

Examples:

  • Information provided on the University's public website;
  • Information approved for release by the Registrar's Office that has been deemed "Directory Information," as defined by the University in accordance with the ;
  • Course descriptions;
  • Semester course schedules; or
  • Press releases and openly accessible publications.

 

蹤獲扦 PRIVATE 

蹤獲扦 Private Data is information that has low to moderate sensitivity and that is intended for internal University business use only, with access restricted to a specific workgroup, department, group of individuals, or affiliates with a legitimate need to use or access the information. Unauthorized disclosure could adversely impact the University, Controlled Affiliate Organizations, third parties, or individuals. Examples of 蹤獲扦 Private Data include, but are not limited to, the following:

INTERNAL USE ONLY 

蹤獲扦 Private data that should only be sent internal to the organization to 蹤獲扦 personnel. (Cannot be shared externally) 

 

Examples: 

  • Financial accounting data that does not also contain 蹤獲扦 Restricted Data;
  • Departmental intranet;
  • Information technology transaction logs;
  • My蹤獲扦 ID;
  • Information security logs;
  • Directory information for students, faculty, and staff who have requested non-disclosure, such as students opting out under FERPA; or
  • Non-directory information or student records that are protected under FERPA, which includes information that is directly related to a student and maintained by an educational institution or by a party acting for the agency or institution.

 

蹤獲扦 RESTRICTED 

蹤獲扦 Restricted Data is highly sensitive information maintained, collected, or recorded by 蹤獲扦 that is intended for limited, specific use by a workgroup, department, group of individuals, or third party (typically pursuant to a contract or agreement) with a legitimate need to use or access the data. Explicit authorization by the designated Data Owner is required for access to 蹤獲扦 Restricted Data because of legal, contractual, privacy, or other constraints. Unauthorized disclosure could have a serious adverse impact on the business or research functions of the University, affiliates, or external parties and violate the personal privacy of individuals, federal or state laws and regulations, or contractual obligations of the University. Examples of 蹤獲扦 Restricted Data include, but are not limited to, the following:

Sensitive Personally Identifiable Information (SPII)

There are two classes of SPII. The first class includes SPII that is sensitive regardless of whether any other identifier is paired with it ("Stand-Alone"). The second class of SPII becomes sensitive when it is combined with other types of Personally Identifiable Information (PII). The following are examples of each type of SPII:

Stand-Alone SPII:
    1. Social Security, driver's license, state ID, alien registration, or passport numbers;
    2. Financial Account Number or credit/debit card numbers;
    3. Identifiable Genetic Information and Biometric Identifiers;
    4. Data of a known child (less than 13 years of age); or Federal Tax Information
SPII when paired with other PII (such as a name or identification number):
    1. Medical Records (personal health information not covered under HIPAA; identifiable FERPA treatment records);
    2. Citizenship or immigration status;
    3. Racial or ethnic origin;
    4. Religious or philosophical beliefs;
    5. Sexual orientation;
    6. Criminal records;
    7. Employment records;
    8. Date of birth;
    9. Precise geolocation or Internet Protocol addresses (IP addresses);
    10. Last four digits of Social Security Number;
    11. Mother's maiden name;
    12. Union Membership;
    13. Text Messages (unless the business holding them is the intended recipient of the text message); or
    14. Videos, audio, or pictures of a person taken when the person would have an expectation of privacy (i.e., treatment videos taken in a clinic, etc.).
  • Protected Health Information (PHI) (including Designated Record Sets) held by Covered Entities or researchers at 蹤獲扦;
  • Controlled Unclassified Information (CUI);
  • Information or data classified as "For Official Use Only" (FOUO);
  • Information or data subject to federal export control regulations; or
  • Facilities and Technology Control Plans

INTERNAL USE ONLY 

蹤獲扦 Restricted information that should only be sent internal to the organization to 蹤獲扦 personnel. (Cannot be shared externally) 

 

 Effect:

  • Emails with any 蹤獲扦 RESTRICTED label applied will be encrypted 

蹤獲扦 PROPRIETARY 

Proprietary Data is either (1) University Data provided to a third party or (2) third-party data created, received, and/or maintained by the University on behalf of a third party such as an individual, corporation, or government agency. Proprietary Data will vary depending on contractual agreements and/or relevant laws or regulations. 

INTERNAL USE ONLY 

蹤獲扦 Proprietary information that should only be sent internal to the organization to 蹤獲扦 personnel. (Cannot be shared externally) 

 

Examples: 

  • Research Data 

Effect

  • Emails with any 蹤獲扦 PROPRIETARY label applied will be encrypted 
Applying a Sensitivity Label to a Document

Document Labeling 

Options to apply a sensitivity label to a document: 

  1. Selecting the Sensitivity dropdown from the Ribbon and selecting a label 

 Dat1

 

2.Selecting the Select a Label option at the top of the document, and then choosing a label. This will also appear when a document is saved without a label applied. 

 

 data2

 

  • Selecting a label will automatically mark the document or e-mail with that labels header and footer.  

 data3

Email Labeling

Options to apply a sensitivity label to an email: 

  1. Selecting the Sensitivity dropdown from the Ribbon and selecting a label 

email

2.Using the Select a Label option next to the subject line 

email2

3. Clicking Send on an email that does not contain a label 

email 3

Email Encryption 

Sending an Encrypted Email Message  

Encrypting emails is a good step in ensuring that 蹤獲扦 data is not viewed or accessed by unintended parties. 

To encrypt an email message, select any 蹤獲扦 Restricted label or any label with a padlock symbol over the shield icon. 

encrypted1

Users who receive an encrypted email outside of the organization will be prompted to authenticate with their own email account or receive a one-time passcode in order to authenticate. This link will only be accessible for 30 days from the time the email was sent. 

encrypted2

Specialty Labels

Additional labels exist for those users and departments that have specific compliance needs.  

If you handle the type of information highlighted below, please send an email to AskInfoSec@Wichita.edu so that we may supply you with more descriptive labels. 

LAbels