Data must be properly managed from its creation, through authorized use, to proper disposal. This data classification policy provides a high-level guideline to state agencies for the purpose of understanding and managing data and information assets with regard to the level of protection required. This policy requires that all data be classified on an ongoing basis and managed based on its confidentiality, integrity, and availability characteristics.
A. Each agency must establish a data classification policy and shall serve as a classification authority for the data and information that it collects or maintains in satisfaction of its mission.1. Data classifications are a prerequisite to establishing agency guidelines and system requirements for the secure generation, collection, access, storage, maintenance, transmission, archiving, and disposal of state data.2. The data classification identifies how sensitive the data is with regard to unauthorized disclosure. Data should be assigned one of three classifications:a.Public: The "public" classification includes information that must be released under Mississippi open records law or instances where an agency unconditionally waives an exception to the open records law.b.Limited Access: The "limited-access" classification applies to information that an agency may release if it chooses to waive an exception to the open records law and places conditions or limitations on such a release.c.Sensitive: The "sensitive" classification applies to information, the release of which is prohibited by state or federal law. This classification also applies to records that an agency has discretion to release under open records law exceptions but has chosen to treat as highly confidential.3. In addition to the data classification, all data must also have a designated data owner. The data owner will be responsible for assigning data classification regarding their data.B. State and federal law may require that certain types of data be classified in a particular manner. Each agency shall determine if there are state or federal legal requirements for classifying the data and shall assign the classification(s) as required by law. (i.e. HIPAA, PCI, etc.)C. Each agency must establish a process to regularly review the appropriateness of the assigned data classifications and adjust classifications in the event of regulatory changes affecting an agency's management of information under its control.D. Each agency must ensure that data compiled from multiple sources is classified with at least the most secure classification level of any individually classified data in the set.E. Each agency must ensure that data shared with other agencies is consistently classified and protected in accordance with a documented agreement detailing, at a minimum, data treatment requirements.F. Each agency must ensure that sensitive data is secured in accordance with applicable agency requirements, federal or state regulations/guidelines, and the enterprise security policy.G. All reproductions of data in its entirety must carry the same data classification as the original. Partial reproductions of data need to be evaluated to determine if new classifications are warranted.H. If an agency is unable to determine the data classification of data, the data should be assumed to have high classification requirements and, therefore, is subject to a data classification of "sensitive".I. All personally identifiable information (PII) must be classified as "sensitive". Miss. Code Ann. § 25-53-1 to § 25-53-25.