Skip to main content
Pepperdine | Community

Information Classification and Protection Policy Schedules

Overview

Use the following schedules to learn more about the types of data that fall under Public, Confidential, or Restricted classifications.

Table of Contents

Schedule A: Data Fields by Classification

Schedule B: Controls

Schedule C: Technologies

Schedule D: Examples

Schedule A: Specific Fields By Classification

This section details examples of specific data fields grouped by classification.

Specific Confidential Data Fields by Domain

FERPA-Covered Student Records

As defined by the U.S. Department of Education, “the Family Educational Rights and Privacy Act [FERPA] is a Federal law that protects the privacy of student education records." Complete information can be found at the U.S. Department of Education's Protecting Student Privacy website. The specified privacy is preserved by applying Confidential data classification controls to these records:

  • Grades/Transcripts
  • Class lists or enrollment information
  • Student Financial Services information
  • Athletics or department recruiting information
  • Payment history
  • Financial Aid/Grant information/Loans
  • Student Tuition Bills
  • Date of Birth
  • Place of Birth

Exception: The following FERPA data fields may ordinarily be revealed by the University without student consent and are classified as Public data, unless the student specifies they may not be revealed. Questions about the use of this data should be directed to the Office of the Registrar.

  • Name
  • Campus-wide ID/CWID (as long as it cannot be used to gain access to a password or PIN)
  • Directory address and phone number
  • Email (electronic mail) address
  • Permanent and/or mailing address
  • Campus office address
  • Residence assignment and room or apartment number
  • Specific quarters or semesters of registration
  • Degree(s) awarded and date(s)
  • Major(s), minor(s), and field(s)
  • University degree honors
  • ID card photographs for University classroom use

Employee Information

  • Performance reviews
  • Workers compensation or disability claims
  • Name in association with:
    • Salary or payroll information
    • Date of birth
    • Home address or personal contact information
    • Benefits information

Management Data

  • Detailed annual budget information
  • University investment information
  • Non-anonymous faculty course evaluations
  • Bank account numbers

General Information

  • Email used to carry out University duties or conduct University business
  • Information shared with legal counsel
  • Internal departmental memos and other correspondence for internal-use-only

Back to Top.

 

Specific RESTRICTED Data Fields by Domain

A small subset of data requires encryption or has a reasonable expectation that loss may cause large fines or disclosure costs. Typically, this type of data is classified RESTRICTED. Below is a comprehensive list of known RESTRICTED data fields:

Information Controlled by Law, Contract, or Policy

  • Credit Card Numbers (CCN)
  • Debit Card Numbers (DCN)
  • PIN Numbers
  • Social Security Numbers (SSN)
  • Drivers License Numbers (DLN)
  • Authentication Secrets:
    • Biometric data used for authentication
    • Account passwords or lists of passwords
    • Secret cryptographic keys

HIPAA-Protected Health Information

As defined by the U.S. Department of Health and Human Services (HHS), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects individuals from the “wrongful disclosure of individually identifiable health information." In summary, HIPAA prohibits institutions from releasing patient information that can be traced to a specific individual. Complete information can be found at the official HHS HIPAA website. The following data, in relation to one’s status as a patient, is considered RESTRICTED information:

  • Patient names
  • Street address, city, county, zip code
  • Dates (except year) for dates related to an individual
  • Telephone/Facsimile numbers
  • Email (Electronic mail), URLs, and IP addresses
  • Account/Medical record numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identification and serial numbers
  • Device identification and serial numbers
  • Biometric identifiers
  • Full face images
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information
  • Records of past, present, or future physical or mental health or condition
  • Records of the provision of health care to the individual
  • Records of the past, present, or future payment for the provision of health care to the individual 

Back to Top.

 

Specific Public Data Fields: Examples

Some data is published, as needed, publicly. These are examples only:

  • Campus maps
  • Business contact data (e.g., directory information)
  • Phone number
  • Email address
  • Event and class schedules
  • Campus-wide ID (CWID): Created by Registrar as a unique value equivalent to a name, e.g., class roster use is OK.

Back to Top.

Data Fields, Classifications, and Control Summary

Confidential data must have per person password protection for people who need access. In practice, assign permissions to groups of people who need access, then move people in and out of the group as required.

RESTRICTED data must be encrypted in transit and at rest. In practice, when a system stores, uploads/downloads, or prints RESTRICTED data, its storage must be encrypted.

Table of Data Fields and Data Classification with Notes
Data Field Classification Note
Athletics Information Confidential -
Authentication Secret, such as: RESTRICTED -
Bank Account Number Confidential Account and Routing Numbers.
Biometric Data RESTRICTED When used for authentication.
Budget Information Confidential -
Campus Map Public -
Campus-wide ID (CWID) Public Alternate for a person's name.
Course Enrollment Information Confidential -
Course Schedule Public -
Credit Card Number (CCN) RESTRICTED -
Debit Card Number (DCN) RESTRICTED -
Departmental Memo Confidential -
Directory Information Public -
Drivers License Number (DLN) RESTRICTED -
Email Address Public -
Email Message Data Confidential Email for University duties.
Employee Disability Claim Confidential -

Employee Name in association with:

  • Benefits Information
  • Date of Birth
  • Driver's License Number
  • Home Address
  • Personal Contact Information
  • Salary of Payroll Information
 Confidential

-
Employee Performance Review Confidential

-
Employee Social Security Number (SSN) RESTRICTED

-
Employee Workers Compensation Claim Confidential

-
Health Center Information RESTRICTED

See "Patient Health Information" below.
Legal Counsel Communication Confidential

-
Medical Records RESTRICTED

See "Patient Health Information" below.
Password(s) RESTRICTED

-
Patient Health Information (PHI), including, but not limited to: RESTRICTED

HIPAA prohibits institutions from releasing patient information that can be traced to a specific individual.
PIN Number RESTRICTED

Financial access or other PINs.
Social Security Number (SSN) RESTRICTED

-
Student Birth Date and Place Confidential

-
Student Financial Aid Information Confidential

-
Student Grades Confidential

-

Student Name in association with:

  • Campus Address
  • Degree(s) and Date(s) Awarded
  • Email Address
  • ID Card Photo
  • Major(s), Minor(s) Field(s)
  • Permanent and/or Mailing Address
  • Personal Contact Information
  • Residence Assignment
  • Semester Registration Information
  • University Honors
 Public, unless a student requests to opt out, then Confidential

These data fields may ordinarily be revealed by the University without student consent, unless the student designates otherwise.
Student Payment History Confidential

-
Student Social Security Number (SSN) RESTRICTED

-
Student Tuition Bill Information Confidential

-
Student Transcripts Confidential

-
University Investment Information Confidential

-

Back to Top.

 

Schedule B: Controls

Access Controls for Confidential and RESTRICTED Information

Access to Confidential and RESTRICTED information in electronic records shall be controlled as follows:

  • Use appropriate system or network permissions for the individual or group to restrict access to persons who need to know the data.
  • Authenticate access using one of the following sets of credentials:
    • University NetworkID and Password.
    • Other unique ID and a password that meets University password standards.
    • University NetworkID and Password with a second authentication factor.
    • Best practice use of an approved University-supported single sign-on system

Back to Top.

Table of Classification and Control

The following table summarizes the Information Classification and Protection Policy, sections 4 (Classifications) and 5 (Controls).

Simplified Table of Data Classifications and Controls
Classification Control
Public Data None
Confidential Data Passwords
RESTRICTED Data Encryption

Back to Top.

Table of Classification and Process

The following table displays a matrix of the Information Classification and Protection Policy, section 5 (Controls).

Controls Matrix by Data Classification and Process
Process RESTRICTED Data Confidential Data Public Data
Acquisition

Must be:

  • Legal to acquire.
  • Actively used.

Must be:

  • Legal to acquire.
  • Actively used.

Must be:

  • Legal to acquire.
Access Limited to those with University duties that require access, and for whom it is legally appropriate to have access. Limited to those with University duties that require access, and for whom it is legally appropriate to have access.

Not limited:

  • Publish as appropriate.
Communication Methods must prevent disclosure to unauthorized persons. Requires appropriate safeguards against disclosure. As required to all persons.
Data Processing Systems must use appropriate safeguards to prevent loss/disclosure. Systems must use appropriate safeguards to prevent loss/disclosure. As required on any system.
Network Transmission Data or entire transmission must be encrypted outside datacenter. As required on internal and external networks. As required on internal and external networks.
Retention, Disposal, Transfer According to Records Management Policy and Computer Disposal Policy.
Storage

Must be one of:

  • Strong encryption using strong password or private key.
  • University central administrative database.
 Storage in a secure location with controls in place to limit access to those with University duties that require access. As required.

Back to Top.

 

Schedule C: Specific Technologies

Artificial Intelligence/Generative AI

All RESTRICTED information and any Confidential information that contains personally-identifiable information (PII) shall NOT be submitted to or processed with Generative AI technologies.

Confidential information that does not contain PII, such as email used to carry out University duties or conduct University business, internal departmental memos, and reports for internal use only, may be processed using Generative AI technologies.

Back to Top.

Central Administrative Databases

Central administrative databases are approved for unencrypted storage of RESTRICTED information. The current systems designated as the central administrative databases are:

  • PeopleSoft System (WaveNet)
  • Centralized Document Management (Etrieve)
  • Accellion Attachments (Secure Attachments)

Back to Top.

Passwords

Passwords are RESTRICTED data and must be encrypted in transit and at rest. The current University password standards for end users are published at mypassword.pepperdine.edu.

University clear-text passwords may not be submitted to third-party services for retransmission & authentication at the University, even over Transport Layer Security (TLS). This process necessarily involves passing the password in such a way that a bad actor or error at the third party would have access to the clear-text password. Third parties must either use a supported single sign-on (SSO) option (e.g., CAS) or provide a system to be hosted and operated by Information Technology (IT) in an IT-operated datacenter.

Back to Top.

Mobile Devices: Tablets and Smartphones

RESTRICTED information is NOT to be stored or transmitted via mobile devices. The necessary exceptions are the storage of the owner’s password(s) in the operating system or in password managers recommended by the Information Security Office (see ISO website). Access to the mobile device and the password manager MUST be password-protected (see password standards for guidance).

Confidential information requires password-protected access. Since most mobile devices store and replay passwords automatically, Confidential information on mobile devices needs to be protected with a PIN or Password lock with a timeout of 15 minutes or less. Use of profiles that allow the device to be remotely wiped via a manufacturer or University service is strongly encouraged to protect Confidential information on the device. Best practice includes:

  1. Using a password rather than a PIN.
  2. Setting the device to auto-wipe on 10 consecutive failed accesses.

Back to Top.

Google Workspace and Network File Shares

RESTRICTED information is NOT to be stored in Google Workspace or on network File Shares without approved additional encryption. Departments needing to share files containing RESTRICTED data should contact the Information Security Office for a consultation and an evaluation of an encrypted drive (N: Drive).

Back to Top.

General Data Privacy Regulation (GDPR), California Consumer Privacy Act (CCPA)

GDPR and CCPA do not alter classifications of individual data fields. However, these may affect what data is legal to collect. University departments are advised to participate fully in data privacy reviews and follow the advice of University counsel on changes to data collection and retention.

Back to Top.

Technologies for Encrypted Network Transmission

RESTRICTED information may NOT be transmitted on any network, outside an IT data center, without encryption.

Approved encrypted network transmission methods include:

  • Transport Layer Security (TLS) transport for network protocols, e.g., HTTPS web traffic.
  • Secure Shell (SSH v2) and related protocols, e.g., SFTP, SCP.
  • Remote Desktop Protocol (RDP) using encryption. The use of RDP for accessing servers without using certificates identifying those servers is deprecated.
  • Secure email attachments server, attachments.pepperdine.edu. NOTE: This is only an approved method to secure the attachment; it does not secure the message text.
  • Encrypted PDF files, using strong encryption. NOTE: The passwords for said files are RESTRICTED data, and should be transmitted encrypted separately from the encrypted PDF file.
  • Encrypted Virtual Private Network (VPN) transmissions between secure computers – NOTE: University VPN only encrypts transmissions to on-campus servers and does not encrypt transmissions to hosted or cloud applications.

Back to Top.

Technologies for Storage Encryption

Storage of RESTRICTED information outside the central administrative databases requires approved strong encryption protected by a password or passphrase that meets University password standards.

Approved strong encryption methods include:

  • Pretty Good Privacy (PGP or GPG) file encryption, where the key is secured by a password that meets University password standards for strength and storage.
  • Encrypted Workstations with IT-approved, centrally managed encryption and with a signed security agreement: Sophos EndPoint Encryption (PGP Desktop no new installs nor reinstalls effective 8/1/24).
  • Kanguru USB flash drives protected by a password that meets University password standards.
  • Enterprise backup encryption used by IT where the keys to the data are controlled in University datacenters.

NOT APPROVED due to lack of central IT support:

  • Technologies not on the above list.

NOT APPROVED due to a lack of enterprise management and password controls:

  • Personally installed encryption technologies, including BitLocker, FileVault, and TrueCrypt.

The use of other encryption technologies for safeguarding RESTRICTED information is prohibited. The use of other encryption technologies for University business is deprecated because of the cost of supporting multiple or non-enterprise technologies and because IT cannot support data recovery or decryption on other technologies in the event of investigation, data loss, or employee departure.

For consulting on access control, encrypted transmission, and storage methods, please contact the Information Security Office.

Back to Top.

 

Schedule D: Classification Examples

Classification Principle

The classification of the document or the system resolves to the highest classification of data fields therein.

Control Principle

The control to be applied to a document or system is the control that applies to the highest classification of data in the document or system.

Classification Examples

Example 1: A staff member's email account contains a mixture of University community event announcements (Public data) and messages used to conduct University business (Confidential data).

  • What is the Classification? Confidential. Using the Classification Principle, the highest classification applies.
  • What Controls are Required? The email access must be password-protected. The mailbox owner and delegates need their own separate passwords to access the messages; no shared passwords.

Example 2: A datacenter server contains a database with salaries (Confidential data) and Social Security Numbers (SSN, RESTRICTED data).

  • What is the Classification? RESTRICTED. Using the Classification Principle, the highest classification applies.
  • What Controls are Required? All network transmissions must be encrypted to and from the server. The database may be encrypted or the SSN data field may be encrypted using University-approved encryption.

Example 3: A printout of an application for financial assistance contains the student's name (Public data), GPA (Grade Point Average, Confidential data), and Social Security Number (SSN, RESTRICTED data).

  • What is the Classification? RESTRICTED. Using the Classification Principle, the highest classification applies.
  • What Controls are Required? The printout must be locked or supervised at all times.

Back to Top.

 

Document History

Policy Change Log
Date Change Description By
04/16/2007 First draft and publication. K. Cary
10/31/2007 New revisions considering Phil Phillips' feedback (provided 08/22/2007). D. Gianforte
11/01/2007 New revisions considering K. Cary feedback. D. Gianforte
12/01/2007 Revisions based on Info Security Task Force feedback. D. Gianforte
12/13/2007 Revisions based on Info Security Task Force feedback (classification reorder). D. Gianforte
01/14/2007 Revisions based on Outside Council feedback. D. Gianforte
02/18/2008 Revisions based on Task Force feedback, new alphabetical schedule. D.G. / K.C.
08/22/2008 Revisions based on General Counsel input at UMC approval. D.G. / K.C.
09/08/2008 Amend missing classification last row Schedule A alphabetical, make Schedule C "transmission" match section 5.3 of the policy, complete missing sentence Schedule D. K. Cary
01/19/2009 Removed Drivers License Number from Confidential fields (it is Restricted). K. Cary
07/23/2012 Updated Schedule C to reflect current technologies. K. Cary
12/04/2012 Updated Schedule C to reflect current technologies. K. Cary
06/13/2014 Updated Schedule A to reflect additional fields. Updated Schedule B with simplified controls table. Updated Schedule C to reflect current technologies. Increased consistency throughout. K. Cary
07/22/2014 Prepared for publication, incorporating corrections from Registrar's Office and Accellion (Secure Attachments) information. K. Cary
06/26/2025; 07/15/2015 Examples of popular unapproved encryption. Corrections from Finance on Bank Numbers. Explicitly denies non-enterprise encryption. K. Cary
11/09/2018 Formatting and clarification. Updates to data fields and control technology. Added Schedule D (Classification Examples). K. Cary, A. Regan
10/25/2023 Addition of controls summary for alphabetic classication fields to make one-page, double-sided handout for managers to use with teams. K. Cary
07/10/2024 Updated Schedule C to reflect current technologies. Formatting and clarification. Approved by IT Leadership Council on 07/25/2024. K. Cary
04/07/2026 Converted PDF to a web page. A. Regan

Back to Top.

 

← Back to Information Classification and Protection Policy.

← Back to Policies and Standards.