The purpose of this policy is to establish a framework for classifying institutional data based on its level of sensitivity, value, regulatory requirements, and criticality to the University. Classification of data will aid in determining baseline security controls for the protection of data.<\/p>\n\n\n\n
This policy applies to all employees, contractors, and third-party agents of the University as well as any other University affiliate who is authorized to access institutional data.<\/p>\n\n\n\n
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and impact to the University should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:<\/p>\n\n\n\n
Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.<\/p>\n\n\n\n
Data should be classified as Private when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all institutional data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.<\/p>\n\n\n\n
Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.<\/p>\n\n\n\n
Data stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used.<\/p>\n\n\n\n
On a periodic basis, it is important to reevaluate the classification of institutional data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. The appropriate data steward should conduct this evaluation. Conducting an evaluation on an annual basis is encouraged; however, the data steward should determine what frequency is most appropriate based on available resources.<\/p>\n\n\n\n