Purpose - Scope - Audience - Data Classification Standard - Non-Compliance and Exceptions - Related UT Austin Policies, Procedures, Best Practices and Applicable Laws - Revision History - Approvals
This standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will facilitate applying the appropriate security controls to university data.
The objective of this standard is to assist data stewards, IT owners and custodians in the assessment of information systems to determine what level of security is required to protect data on the systems for which they are responsible. The standard divides data into three categories:
- CONFIDENTIAL (historically referred to as Category I)
- CONTROLLED (historically referred to as Category II)
- PUBLISHED (historically referred to as Category III)
This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.
All university data stored, processed, or transmitted on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification you determine for your system, you are required to implement appropriate technical security measures to protect the data consistent with the university Minimum Security Standards. Confidential data has more stringent requirements than Controlled and Published classifications. All systems require some protective measures.
Note: Data that is personal to the operator of a system and stored, processed, or transmitted on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
All faculty, staff, student employees, contractors, and vendors working with University of Texas at Austin data.
4. Data Classification Standard
To classify your data, you must start by understanding what the classifications are. There are specific laws and regulations that govern some kinds of data. Additionally, there are situations where you must consider whether the confidentiality, integrity, or availability of the data is a factor. Finally, consider that you may be storing information on more than one system, such as moving data between computers by CD or flash drive, for example. If you rate only your primary computer as Confidential, but not your secondary computer or the transfer media, the secondary computer could put data at risk because it won't be well protected.
University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; U.S. Export Controlled information; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Policies; specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) See the extended list of Confidential data classification examples for specifics."
Examples of How Data Can Be Lost
Impact of Confidential Data Loss
| || |
Protect your Confidential data by applying the appropriate Minimum Security Standards.
University data not otherwise identified as Confidential data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.
Examples of How Data Can Be Lost
|Impact of Controlled Data Loss|
| || |
Protect your Controlled data by applying the appropriate Minimum Security Standards.
University data not otherwise identified as Confidential or Controlled data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
Examples of How Data Can Be Lost
|Impact of Published Data Loss|
| || |
Protect your Published data by applying the appropriate Minimum Security Standards.
5. Non-Compliance and Exceptions
Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.
University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with state laws and regulations.
6. Related UT Austin Policies, Procedures, Best Practices and Applicable Laws
The policies and practices listed here inform the system hardening procedures described in this document; you should be familiar with these documents. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)
7. REVISION HISTORY
|08/24/2015||Aligned classification names with those of UT System's new convention||Category I-II-III --> Confidential, Controlled, Published.|
|06/24/2013||Reviewed and fixed broken links|
|06/19/2013||Converted back to html|
|2/9/2011||Clarified language to bring consistency across policies and standards regarding systems that store, process, or transmit sensitive data, as well as with industry standards and government regulations such as PCI and HIPAA.|| |
All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification you determine for your system, you are required to implement appropriate technical security measures to protect the data consistent with the university Minimum Security Standards. Category-I data has more stringent requirements than Categories II and III. All systems require some protective measures.
Note: Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
V. Using C-I-A to Help Classify Data for Which You Are Responsible:
To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data.
|11/12/2009||Added UIN to the extended list of Category-I data classification examples. This change was approved by Legal Affairs.|
|10/1/2009||Updated visual appearance to new template. Corrected any out of date links to ensure they are pointing to the most current policy documents.|
Changed reference in section IV. Data Classification Standard to "University of Texas System Policies"
"University of Texas System Business Procedure Memoranda."
|5/03/2007||Removed the "Funding / sponsorship information" item from the extended list of Category-I data classification examples. This change was approved by Legal Affairs.|
Funding / sponsorship information
Reorganized content to match other standards documents.
Added note in Scope section about personal data stored on a university IT resource.
|Same, just organized into appropriate sections. |
|11/20/2006||Title changed to "Data Classification Standard" to reflect that this is a requirement. Edited "Guideline" to "Standard" throughout the document and propagated change to all policy documents.|| |
"Data Classification Guidelines"
|10/24/2006||New introduction. Revised so definitions are clearly identifiable and tied to what will be in the Handbook of Operating Procedures. Split example from grid for evaluating data.|| |
Entire document has changed. Examples and lists of data that are protected have not changed.
|Chief Information Security Officer||Approval||Cam Beasley|| |
September 24, 2015