As computing services and systems have expanded throughout the University, so has the need for protection of the data used in teaching, administration and research expanded.  The university depends heavily on the accuracy, integrity and usability of its data, and it is essential that all data be maintained in an appropriate security environment.

 

The Data Classification Standard

• Applies to all data created and maintained by all campuses, except where superseded by grant or other contract or by federal copyright law;
• Applies to all authorized users of the University’s computing resources;
• Complies with applicable federal and state laws which govern the privacy and confidentiality of data.

 

Classification Categories

All institutional data must be categorized into one of the three levels outlined below.

• Public data (Category III below) can be seen by anyone, but it requires protection against unauthorized modification.
• Category II data are sensitive, i.e., only authorized individuals may see or modify the information. Custom access control procedures are required. Improper disclosure may result in harm to the organization or to individuals.
• Category I requires more care than sensitive data. Improper disclosure may result in significant legal or financial harm.

 

Definitions

To classify your data, be sure you understand these classifications:

	Category I High level of sensitivity	Category II Moderate level of sensitivity	Category III Low level of sensitivity
Legal Requirements	Protection of data is required by law,* reduces liability and negative publicity	Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate negative publicity	Protection of data will avoid negative publicity
Risk	Long-term loss of reputation Long-term loss of research funding Long-term loss of critical campus or departmental services Unauthorized tampering of research data	Short-term loss of reputation Short-term loss of research funding Short-term loss of departmental services Unauthorized tampering of research data	Loss of data with no impact to the university Inaccurate general information
Data examples	Health related research Personnel information Financial data Credit cards Social Security Numbers Official transcripts HR records	Project data HR data that is not sensitive Research data or results that are not sensitive Business transactions that are not sensitive	Institutionally published public data Academic course descriptions Directory information

 

Examples are non-directory information protected by FERPA or Gramm-Leach-Bliley, donor data, employee data, and University data that are not otherwise protected by statute, but which must be protected due to contractual agreements requiring confidentiality, such as Non Disclosure Agreements.

 

Some of your data will fit easily into the categories listed above. If you have doubts about the classification, please give your data ratings based on the confidentiality, integrity and availability requirements (CIA) outlined below.

 

For systems containing mixed categories of data, base your classification on the most confidential data stored in the system. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must be protected as appropriate for its most confidential data.

 

Confidentiality – What are the consequences if the data are exposed, copied or deleted? Is there a legal requirement to restrict access? If the need for confidentiality is high, the data should be classified as Category I, and protection should include limited access, encryption and monitoring.

Integrity – Is accuracy of the data critical? Do operations, research or similar actions depend on the reliability and accuracy of the data? If the need for integrity is high, the data should be classified as Category I.

Availability – Is the data needed in critical operations? Would temporary loss of the data cause serious processing delays? If so, the data is to be classified as Category I.

 

In all cases if the evaluation finds that the data are of medium sensitivity, need medium levels of integrity and/or availability, they should be assigned a Category II designation.

 

All other data (not category I or II) will fall into the third Category.

 

If you are creating a new system that has Category I data, you should inform the Office of Information Technology so that plans can be developed for its protection.

 

Examples

1. Social Security Numbers: Category I data
   1. Protected from disclosure through BPM 53 of the University of Texas System, should not be collected except when required by law.
   2. Confidentiality is required
   3. Need for Integrity is high
   4. Need for availability is limited (should not be available for most purposes)
2. Blogs: Category III data
   1. Blogs are open documents, to be shared with the public. Their contents may be subject to change without serious implications for the hosting individual or department.They are not necessary to the ongoing mission of the University and can, therefore, be removed or taken offline temporarily without serious consequence.
   2. Confidentiality is low
   3. Need for Integrity is low
   4. Need for Availability is low
3. Digital Research Data: Category I
   1. Generally speaking research data requires the highest level of security, because of the need for integrity and originality. There may be cases in which the research is not intended for publication or of a special nature that permits a classification of Category II.
   2. The University still recommends that all research be protected as though it belongs to Category I.
   3. Confidentiality is high
   4. Need for Integrity is high
   5. Need for Availability is medium