The Office of Information Technology - UTSA

This document should be rendered in an HTML format. If you are using an editor that does not show HTML documents please skip to page content, links on this page, and/or site navigation.

Copyright (c) 2007. The University of Texas at San Antonio. All rights reserved.

Information Security Office

Office of Information Technology
UTSA http://www.utsa.edu OIT Main Link
Security MainPoliciesSecurity NewsBest PracticesContact UsITA/ISA

DATA CLASSIFICATION STANDARD

 

Air Rowdy

1604 & DT Campus Classroom Tech Support

210.458.4520

1604 Campus Classroom Tech Support - After Hours

210.458.4529

DT Campus Classroom Tech Support - After Hours

210.458.2640

Computer Problems?

UTSA Helpdesk
210.458.5538

Student Computing Services

210.458.4557

Overview

As computing services and systems have expanded throughout the University, so has the need for protection of the data used in teaching, administration and research expanded.  The university depends heavily on the accuracy, integrity and usability of its data, and it is essential that all data be maintained in an appropriate security environment.

The Data Classification Standard:

  • applies to all data created and maintained by all campuses, except where superseded by grant or other contract or by federal copyright law;
  • applies to all authorized users of the University’s computing resources;
  • complies with applicable federal and state laws which govern the privacy and confidentiality of data.

Classifying Data

All institutional data must be categorized into one of the three levels outlined below.

Generally speaking,

  • public data (Category III below) can be seen by anyone, but it requires protection against unauthorized modification.
  • Category II data are sensitive, i.e., only authorized individuals may see or modify the information. Custom access control procedures are required. Improper disclosure may result in harm to the organization or to individuals.
  • Category I requires more care than sensitive data. Improper disclosure may result in significant legal or financial harm.

Definitions

To classify your data, be sure you understand these classifications.

 

Category I

High level of sensitivity

Category II

Moderate level of sensitivity

Category III

Low level of sensitivity

Legal Requirements

Protection of data is required by law,* reduces liability and negative publicity

Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate negative publicity

Protection of data will avoid negative publicity

Risk

Long-term loss of reputation

Long-term loss of research funding

Long-term loss of critical campus or departmental services

Unauthorized tampering of research data

Short-term loss of reputation

Short-term loss of research funding

Short-term loss of departmental services

Unauthorized tampering of research data

Loss of data with no impact to the university

Inaccurate general information

Data examples

Health related research

Personnel information

Financial data

Credit cards

Social Security Numbers

Official transcripts

HR records

Project data

HR data that is not sensitive

Research data or results that are not sensitive

Business transactions that are not sensitive

Institutionally published public data

Academic course descriptions

Directory information

* Examples are non-directory information protected by FERPA or Gramm-Leach-Bliley, donor data, employee data, and University data that are not otherwise protected by statute, but which must be protected due to contractual agreements requiring confidentiality, such as Non Disclosure Agreements.

Some of your data will fit easily into the categories listed above.If you have doubts about the classification, please give your data ratings based on the confidentiality, integrity and availability requirements (CIA) outlined below.

For systems containing mixed categories of data, base your classification on the most confidential data stored in the system.Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must be protected as appropriate for its most confidential data.

Confidentiality – What are the consequences if the data are exposed, copied or deleted? Is there a legal requirement to restrict access?If the need for confidentiality is high, the data should be classified as Category I, and protection should include limited access, encryption and monitoring.

Integrity – Is accuracy of the data critical? Do operations, research or similar actions depend on the reliability and accuracy of the data?If the need for integrity is high, the data should be classified as Category I.

Availability – Is the data needed in critical operations?Would temporary loss of the data cause serious processing delays?If so, the data is to be classified as Category I.

In all cases if the evaluation finds that the data are of medium sensitivity, need medium levels of integrity and/or availability, they should be assigned a Category II designation.

All other data (not category I or II) will fall into the third Category.

If you are creating a new system that has Category I data, you should inform the Office of Information Technology, so that plans can be developed for its protection.

Examples

  1. Social Security Numbers: Category I data
    1. Protected from disclosure through BPM 53 of the University of Texas System, should not be collected except when required by law.
    2. Confidentiality is required
    3. Need for Integrity is high
    4. Need for availability is limited (should not be available for most purposes)
  2. Blogs: Category III data
    1. Blogs are open documents, to be shared with the public.Their contents may be subject to change without serious implications for the hosting individual or department.They are not necessary to the ongoing mission of the University and can, therefore, be removed or taken offline temporarily without serious consequence.
    2. Confidentiality is low
    3. Need for Integrity is low
    4. Need for Availability is low
  3. Digital Research Data: Category I
    1. Generally speaking research data requires the highest level of security, because of the need for integrity and originality.There may be cases in which the research is not intended for publication or of a special nature that permits a classification of Category II.
    2. The University still recommends that all research be protected as though it belongs to Category I.
    3. Confidentiality is high
    4. Need for Integrity is high
    5. Need for Availability is medium

©The University of Texas at San Antonio One UTSA Circle San Antonio TX 78249
Revised: 02/01/2008
Refer Comments to: oit@utsa.edu
Identity Guidelines | Policies | Emergency Preparedness | Required Links