Data Classification Guidelines INTRODUCTION Information and Educational Technology developed these guidelines to help campus units categorize their information and information systems, according to the sensitivity of data they contain. Categorization will help departments allocate their resources, prioritize the selection and placement of security controls, and ensure that sensitive systems meet baseline security standards. WHEN SHOULD CLASSIFICATION OCCUR? According to NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories), classification should occur early in the planning and design of new systems and be revisited at least every three years. If performed early in the development process, classification can help administrators and developers identify and implement security requirements. Periodic reviews will ensure that the classification remains accurate, and that the system meets baseline security standards. WHO HAS ULTIMATE RESPONSIBILITY? UC Business and Finance Bulletin IS-2 (Inventory, Classification, and Release of University Electronic Information) defines two critical roles when it comes to the classification, collection, and safeguarding of sensitive data: The Resource Proprietor is the individual with ultimate responsibility over collecting, managing, and sharing the data. Typically, Resource Proprietors will include individuals designated as data owner or data steward. The Resource Custodian has physical or logical control over the data, performs maintenance activities, or provides other services to the resource proprietor. Typically, Resource Custodians will include system administrators, database administrators, and data managers. Resource proprietors, in consultation with resource custodians, should ensure that systems are correctly categorized and compliant with all federal and state regulations, and with all University policies. OTHER CONSIDERATIONS While data classification should play a critical role in determining the security requirements for a given system, other factors should also be considered. Systems that perform or support critical business functions, or that require high availability, might warrant stricter standards and requirements. For all systems, consider the potential impact to University assets, operations, and reputation if a loss of confidentiality, availability, or integrity were to occur. CLASSIFICATION LEVELS This section outlines three classification levels (high, medium, low). Resource proprietors should ensure that the selection of security controls is appropriate for the sensitivity of the data they’re protecting. Systems that process private or restricted data are inherently more costly to secure and maintain. Whenever possible, avoid the unnecessary use or collection of such data. Restricted (High Sensitivity) Systems handling restricted data should have the strictest security requirements. This classification level is reserved for information that would, if inadvertently released, have a significant adverse impact to the University. This includes information protected by state or federal regulations (HIPAA, FERPA, California Civil Code, etc.), University of California policy, or contracts. This also includes credential or session information that can be used to access sensitive data. More specific examples can be found below. Examples of Restricted Data Electronic Protected Health Information (ePHI). Credit/debit card information and bank account information. Student records that are not part of the campus directory (this includes student IDs). Electronic signatures, biometric information, password information, and private encryption keys (depending on use). Data covered by non-disclosure agreements, service level agreements, grants, etc. Criminal background checks. Personally identifying information that, by law, warrants notification if wrongfully disclosed. According to California Civil Code Section 1798.29, this would include: … an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: o Social Security number. o Driver’s license number or California Identification Card number. o Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. o Medical information. o Health insurance information. Private (Medium Sensitivity) Private data should be considered the default classification level for non-restricted data that has not been explicitly made public. Examples of Private Data Non-public administrative or operational data (e.g. employee evaluations, asset listings and locations, etc.). Non-restricted research data. Information used to validate identity (name plus date of birth, mother’s maiden name, etc.). E-mail contents. Employee information not listed as restricted (home address, telephone number, income tax withholdings, personal email address, race, ethnicity, marital status). Public (Low Sensitivity) The lowest data classification level includes data openly available to the public. This might include lowsensitivity data which, when openly distributed, presents no risk to the University. This might also include official University communications and public announcements. Systems distributing low sensitivity data can still pose significant risk to the University. High-visibility public websites sharing only low sensitivity data can be targets for individuals seeking to embarrass the University and damage its reputation. Data classification should be used only as a baseline when defining the classification level for an information system. Depending on the other factors listed above, assessing a system according to a higher classification level might be prudent. Examples of public data Public directory information. Staff and faculty employment information (position, employment start/end dates, salary, office location, office phone number). Research publication information. Course catalog information. Employee ID. Intercollegiate sports information (team rosters, statistics, scores, schedules). For More Information IS-2 Inventory Classification and Release of University Electronic Information NIST SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories