Information Technology Data Classification Policy

Purpose

The purpose of this policy is to establish a framework for classifying institutional data based on its level of sensitivity, value, regulatory requirements, and criticality to the University. Classification of data will aid in determining baseline security controls for the protection of data.

Scope

This policy applies to all employees, contractors, and third-party agents of the University as well as any other University affiliate who is authorized to access institutional data.

Definitions

• Data Steward: A senior-level employee (typically at the level of unit director) who oversees data management functions related to the capture, maintenance, and dissemination of data for an operational area. They are responsible for decisions about the usage of University data under their purview.
• Data Users: Individuals and organizations that access institutional data and information to perform their assigned duties or to fulfill their role in the University community.
• Institutional Data: All data owned or licensed by the University.

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and impact to the University should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:

Restricted Data

Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.

Private Data

Data should be classified as Private when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all institutional data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Public Data

Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Data Collections

Data stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used.

Reclassification

On a periodic basis, it is important to reevaluate the classification of institutional data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. The appropriate data steward should conduct this evaluation. Conducting an evaluation on an annual basis is encouraged; however, the data steward should determine what frequency is most appropriate based on available resources.

Policy Compliance

Any breach, loss, or unauthorized exposure of Restricted or Private data must be immediately reported to the Office of Information Technology. IT staff will determine the appropriate actions to comply with University policy and local, state, and federal law.

Communication

This policy is distributed via the University Policies webpage.