Cybersecurity

Categories of Information

Everyone at SUNY Oswego has a role to play in protecting our information.

Faculty, staff, student – everyone has sensitive personal information to protect.  If you are faculty or staff at SUNY Oswego, you have additional responsibilities for safeguarding the personal and confidential information of others in the college community.  Protecting the sensitive information of others is simply the right thing to do, but it’s important to remember that SUNY Oswego is legally obligated to do so, in many circumstances.   There are numerous regulations that dictate how certain types of very sensitive information must be treated, including credit card numbers, health history information, and SSNs.  SUNY Oswego must comply with these laws – if we do not, the college could face stiff fines, civil lawsuits, loss of reputation, or lose the ability to do certain kinds of critical functions (such as accepting credit cards).  Other kinds of information at SUNY Oswego deserve protection also, but for different reasons.  An important part of your job is understanding what kinds of information to which you may be exposed, and knowing what safeguards you must use to protect the information based on its category.  

Why does the “Categories of Information” document exist?

We cannot effectively protect our information without first understanding what level of protection our information requires.  The “Categories of Information” document is the definitive source for how SUNY Oswego classifies its information and data.  The Categories of Information document should be your first step in understanding the types of information you may encounter in your job, and how carefully you need to protect that information. In the document, you will find the types of individuals about whom information is collected, the list of laws, regulations, statutes, and standards with which SUNY Oswego must comply, and definitions of the four different categories of information (with examples of each).  

Now that you know about the categories, what next?

Each department will have policies and procedures for how information should be handled, that are in line with the Categories of Information document, and related to the functions of the department.  Certain entities (people or departments) are responsible for granting access to and ensuring appropriate uses of information, while others are accountable for the physical and electronic security of information.  Others may have more limited responsibilities, perhaps as just “end-users” of our information.   If you have any questions or concerns about how your job or department handles information, you should bring them to the attention of your supervisor, manager or department chair.  Information without an apparent category should be treated as Protected, and reported so that it may be classified properly.     

SUNY Oswego Categories of Information Document (PDF)