Institutional Data Classification Guidelines


| Data Classification Guidelines| Classifying Data | Personally Identifiable Information | Data Classification References and Resources | Data Classification Policy |



The Institutional Data Classification Guidelines are methods provided to help Business Owners assess information systems to determine the sensitivity of the data within a system and how to protect that information. It is likely that institutional data will be distributed across processing units both within and outside of the university.


All institutional data must be categorized into one of the three categories above. Business Owners are responsible for categorizing their data appropriately. Based on the data classification level determined, there will be different security practices required to protect the data. This protection can include encryption, access restrictions, access auditing and other security controls. Use the following guidelines to determine which data category is appropriate.

Assessment Criteria

Consider the following examples and scenarios when working to classify Institutional Data:

LEVEL I
Low Sensitivity
LEVEL II
Moderately sensitive
LEVEL III
Highly sensitive
Legal Requirements Protection of the data will avoid negative publicity and/or low to moderate embarrassment to the University Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate to high negative publicity Protection of data is required by law/ industry (e.g. HIPAA, FERPA, GLBA, FISMA, PCI-DSS), reduces liability, severe negative  publicity, and loss of reputation of University
Risk Loss of personal data with no impact to the person or university

Inaccurate general information

Short-term loss of reputation

Short-term loss of reputation

Short-term loss of research funding

Increase in regulatory requirements

Short-term loss of dept. services

Unauthorized tampering of research data

Long-term loss of reputation

Long-term loss of research funding

Increase in regulatory requirements

Long-term loss of critical campus or dept. services

Unauthorized tampering of research data



Examples of Data types

Examples of Data Types