The following definitions shall be used to classify data for security purposes:
Normal: The least restrictive class of data. Although it must be protected from unauthorized disclosure and/or modification, it is often public information or subject to disclosure as a public record. Examples of this class of data are: class schedules, course catalogs, general ledger data, and employee demographic statistics.
Sensitive: This class includes data for which specific protections are required by law or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples of this class of data are: peoples' names in combination with any of the following: driver's license numbers, birth date, EWU ID number (EWUID), address, e-mail addresses, and telephone numbers. Also included are: agency source code or object code, agency security data, education records including papers, grades, and test results, or information identifiable to an individual that relates to any of these types of information.
Confidential: This class includes those data elements that are either passwords in the traditional sense or function in the role of an access control such as a credit card number, expiration date, PIN, and card security code. All data classified as Confidential shall be encrypted in storage and in transit. Access to these elements are tightly controlled and audited. Examples of these data are: Social Security Numbers (SSN), credit card numbers, expiration dates, PINs, and card security codes, financial profiles, bank account numbers, medical data, law enforcement records.