Table of Contents

Overview

This standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will facilitate applying the appropriate security controls to university data. 

This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.

Published

University data not otherwise identified as Confidential or Controlled data, and: 

  1. The data is publicly available, and
  2. Such data have no requirement for confidentiality, integrity, or availability

 

Controlled

University data not otherwise identified as Confidential, and:

  1. Data not publicly available, and
  2. Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.)

 

Confidential

University data that is:

  1. Protected specifically by federal or state law or
  2. Protected by University of Texas rules and regulations
  3. Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations

 

Data Classification Examples

Use the examples below to determine which classification is appropriate for a given type of data. When data falls into multiple categories, use the highest classification.

View Minimum Security Standards for Systems

Published

  • Research data (at data owner's discretion)
  • Information authorized to be available on or through UT Austin's website without EID authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University directory information
  • Information in the public domain
  • Publicly available campus maps

 

Controlled

  • Employee names
  • Employee salary information
  • Employee performance review information
  • Unpublished research data (at data owner's discretion)
  • Non-public UT Austin policies and policy manuals
  • Internal memos and email

 

Confidential

  • Social Security numbers
  • Access device numbers (ISO number, building access code, etc.)
  • Biometric identifiers (eye images, full face images, fingerprints, etc.)
  • Date of birth
  • Driver's license numbers
  • Passport and visa numbers
  • Personal vehicle information
  • Financial information and records (credit card numbers, account numbers, etc.), including non-UT income level and sources
  • Information pertaining to the Office of Institutional Relations and Legal Affairs
  • Contracts
  • Certain management information
  • User account passwords
  • User Identification Number (UIN)
  • Health Information, including Protected Health Information (PHI)
  • Health Insurance policy ID numbers
  • Export controlled information
  • Physical plant and critical infrastructure detail: Engineering, design, and operational information on UT Austin infrastructure

There are additional types of Confidential Data; see below.

Extended List of Confidential Data:

HIPAA

  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information

FERPA

  • Grades (including test scores, assignments, and class grades)
  • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills

Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:

  • Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
  • Place of birth
  • Electronic mail address
  • Specific semesters of registration at UT Austin; UT Austin degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
  • Institution attended immediately prior to UT Austin
  • ID card photographs for course instructor use

For more information, see the UT Austin FERPA Web Page.

Alumni/Donor Information

  • Name
  • Family information
  • Amount / what donated
  • Other non-public gift information
  • Telephone / fax numbers, e-mail, URLs

Research Information

  • Human subject information. See the Institutional Review Board for more information.
  • Sensitive digital research data
  • Export Controlled Information – Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions or documentation.
  • Classified information relating to defense articles and defense services;
  • Information covered by an invention secrecy order;
  • Software directly related to a controlled item;

This does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain, nor basic marketing information on function or purpose or general system descriptions of an article or product.

UT Employee Information

  • Insurance benefit information
  • Family information, home address, and home phone number may be revealed unless restricted by the employee. UT Austin employees can restrict this information in UT Direct.

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

Business/Vendor Data

  • Contract information (between UT Austin and a third party)
  • NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

Server and Application Data Examples

A server is any program that provides services to (programs on) other devices. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
View Server Hardening Guides

An application is any software that handles data at UT Austin.
View Minimum Security Standards for Application Development and Administration

Published

  • Public facing web server: All content is available without EID login and doesn't fall under Controlled or Confidential definitions.
  • Online maps
  • University online catalog displaying academic course descriptions
  • Bus schedules

       

    Controlled

    • Web server with non-Confidential content behind EID login.
    • Human Resources application that stores salary information

     

    Confidential

    Web server hosting Confidential data such as, but not limited to:

    • SSNs
    • HIPAA data
    • FERPA data
    • ITAR data
    • PCI data
    • Financial data

     

    Related Policies and Regulations

    The policies listed here inform this document; you should be familiar with these policies.

    This is not an all-inclusive list of policies and procedures that affect information technology resources.

    Revision History

    Version Date New Original
      05/23/2018 Updated visual style; credit to Stanford's Risk Classification list. Consolidated with extended list of Confidential Data page.  
      08/24/2015 Aligned classification names with those of UT System's new convention. Category I-II-III --> Confidential, Controlled, Published.

     

    		 06/24/2013 Reviewed and fixed broken links  
      06/19/2013 Converted back to html  
      2/9/2011 Clarified language to bring consistency across policies and standards regarding systems that store, process, or transmit sensitive data, as well as with industry standards and government regulations such as PCI and HIPAA.

    II. Scope:

     

    All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification you determine for your system, you are required to implement appropriate technical security measures to protect the data consistent with the university Minimum Security Standards. Category-I data has more stringent requirements than Categories II and III. All systems require some protective measures. 

    Note: Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.

     

    V. Using C-I-A to Help Classify Data for Which You Are Responsible:

     

    To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data.
      11/12/2009 Added UIN to the extended list of Category-I data classification examples. This change was approved by Legal Affairs.  
      10/1/2009 Updated visual appearance to new template. Corrected any out of date links to ensure they are pointing to the most current policy documents.  
      9/14/2007

    Changed reference in section IV. Data Classification Standard to "University of Texas System Policies"

     

    Updated template.

    "BMP 53"

     

    "University of Texas System Business Procedure Memoranda."
      5/03/2007 Removed the "Funding / sponsorship information" item from the extended list of Category-I data classification examples. This change was approved by Legal Affairs.  
      4/16/2007

    Funding / sponsorship information

     

    Reorganized content to match other standards documents.

     

    Added note in Scope section about personal data stored on a university IT resource.

    		 Same, just organized into appropriate sections.

     

    New content.
      11/20/2006 Title changed to "Data Classification Standard" to reflect that this is a requirement. Edited "Guideline" to "Standard" throughout the document and propagated change to all policy documents.

    "Data Classification Guidelines"
      10/24/2006 New introduction. Revised so definitions are clearly identifiable and tied to what will be in the Handbook of Operating Procedures. Split example from grid for evaluating data.

    Entire document has changed. Examples and lists of data that are protected have not changed.

    Approvals

    Name Role Members Date
    Chief Information Security Officer Approval Cam Beasley

    September 24, 2015