|
|
|
|
|
|
|
|
|
Policies > Wiki Pages > Institutional Data Classification
|
Institutional Data Classification
|
|
|
|
|
|
Purpose:
The University will categorize its data according to a common scheme to ensure compliance with federal, state, and local guidelines.
Statement:
All University data will be assigned one of the following categories:
- LEVEL 1 Low Sensitivity (“Public”)
- LEVEL II Moderate Sensitivity (“Non-Public/Internal”)
- LEVEL III High Sensitivity (“Confidential/Restricted”)
Description:
(NB: Use the materials contained in this policy to assess the risks associated with the data that you regularly access)
Assessment Criteria
Level One
Legal Requirements
- Protection of the data will avoid negative publicity and/or low to moderate embarrassment to the University
Risk
- Loss of personal data with no impact to the person or university
- Inaccurate general information
- Short-term loss of reputation
Data Examples
- Published “white pages”
- Directory information
- Academic course descriptions
- Campus maps (non-floor plans)
- Institutionally published public data
Storage Requirements
- May be stored on local devices, encryption strongly encouraged
Level Two
Legal Requirements
- Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate to high negative publicity.
Risk
- Short-term loss of reputation
- Short-term loss of research funding
- Increase in regulatory requirements
- Short-term loss of dept. services
- Unauthorized tampering of research data
Data Examples
- Human resources not including sensitive data
- Research data or results that are not sensitive
- Business transactions that do not include sensitive data
- Student grade books
- Campus Maps w/Floor Plans
Storage Requirements
- May be stored on local devices, encryption required
- Storage in campus network share with defined permissions strongly encouraged.
.
.
Level Three
Legal Requirements
- Protection of data is required by law (e.g. HIPAA, FERPA, GLBA data elements, PCI/PII data), reduces liability, severe negative publicity, and loss of reputation of University
Risk
- Long-term loss of reputation
- Long-term loss of research funding
- Increase in regulatory requirements
- Long-term loss of critical campus or dept. services
- Unauthorized tampering of research data
Examples
- Medical records
- Health related research
- Personnel info
- Financial data
- Credit cards
- Social security numbers
- Official transcripts
- HR Records
- PCI/PII data
Storage Requirements
- May not be stored on local devices under any circumstances
- Storage in campus network share with defined permission required; encryption of data required
Additional Information:
This policy is based on University of Iowa's Institutional Data Classification Guidelines.
See:
Approved By: Managers and CIO
Date of Origination: 4/15/2008
Updated: 5/1/2012
|
Last modified at 5/2/2012 11:51 AM by Ramsdell, Nancy
|
|
|
|
 |
|
|
|
|