This standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will facilitate applying the appropriate security controls to university data.
This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.
University data not otherwise identified as Confidential, and:
- Data not publicly available, and
- Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.)
University data that is:
- Protected specifically by federal or state law or
- Protected by University of Texas rules and regulations
- Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations
Data Classification Examples
Use the examples below to determine which classification is appropriate for a given type of data. When data falls into multiple categories, use the highest classification.
- Employee names
- Employee salary information
- Employee performance review information
- Unpublished research data (at data owner's discretion)
- Non-public UT Austin policies and policy manuals
- Internal memos and email
- Social Security numbers
- Access device numbers (ISO number, building access code, etc.)
- Biometric identifiers (eye images, full face images, fingerprints, etc.)
- Date of birth
- Driver's license numbers
- Passport and visa numbers
- Personal vehicle information
- Financial information and records (credit card numbers, account numbers, etc.), including non-UT income level and sources
- Information pertaining to the Office of Institutional Relations and Legal Affairs
- Certain management information
- User account passwords
- User Identification Number (UIN)
- Health Information, including Protected Health Information (PHI)
- Health Insurance policy ID numbers
- Export controlled information
- Physical plant and critical infrastructure detail: Engineering, design, and operational information on UT Austin infrastructure
Extended List of Confidential Data:
- Patient names, street address, city, county, zip code, telephone / fax numbers
- Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
- PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
- Any other unique identifying number, characteristic, or code
- Payment Guarantor's information
- Grades (including test scores, assignments, and class grades)
- Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills
- Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
- Place of birth
- Electronic mail address
- Specific semesters of registration at UT Austin; UT Austin degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
- Institution attended immediately prior to UT Austin
- ID card photographs for course instructor use
- Alumni/Donor Information
- Family information
- Amount / what donated
- Other non-public gift information
- Telephone / fax numbers, e-mail, URLs
- Research Information
- Human subject information. See the Institutional Review Board for more information.
- Sensitive digital research data
- Export Controlled Information – Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions or documentation.
- Classified information relating to defense articles and defense services;
- Information covered by an invention secrecy order;
- Software directly related to a controlled item;
- UT Employee Information
- Insurance benefit information
- Family information, home address, and home phone number may be revealed unless restricted by the employee. UT Austin employees can restrict this information in UT Direct.
- Business/Vendor Data
- Contract information (between UT Austin and a third party)
- NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
Server and Application Data Examples
A server is any program that provides services to (programs on) other devices. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
View Server Hardening Guides
An application is any software that handles data at UT Austin.
View Minimum Security Standards for Application Development and Administration
- Web server with non-Confidential content behind EID login.
- Human Resources application that stores salary information
Web server hosting Confidential data such as, but not limited to:
- HIPAA data
- FERPA data
- ITAR data
- PCI data
- Financial data
The policies listed here inform this document; you should be familiar with these policies.
- Information Resources Use and Security Policy
- UT Austin Acceptable Use Policy
- UT System (UTS 165) Information Resources Use and Security Policy
This is not an all-inclusive list of policies and procedures that affect information technology resources.
|05/23/2018||Updated visual style; credit to Stanford's Risk Classification list. Consolidated with extended list of Confidential Data page.|
|08/24/2015||Aligned classification names with those of UT System's new convention.||Category I-II-III --> Confidential, Controlled, Published.|
|06/24/2013||Reviewed and fixed broken links|
|06/19/2013||Converted back to html|
|2/9/2011||Clarified language to bring consistency across policies and standards regarding systems that store, process, or transmit sensitive data, as well as with industry standards and government regulations such as PCI and HIPAA.|| |
All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification you determine for your system, you are required to implement appropriate technical security measures to protect the data consistent with the university Minimum Security Standards. Category-I data has more stringent requirements than Categories II and III. All systems require some protective measures.
Note: Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
V. Using C-I-A to Help Classify Data for Which You Are Responsible:
To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data.
|11/12/2009||Added UIN to the extended list of Category-I data classification examples. This change was approved by Legal Affairs.|
|10/1/2009||Updated visual appearance to new template. Corrected any out of date links to ensure they are pointing to the most current policy documents.|
Changed reference in section IV. Data Classification Standard to "University of Texas System Policies"
"University of Texas System Business Procedure Memoranda."
|5/03/2007||Removed the "Funding / sponsorship information" item from the extended list of Category-I data classification examples. This change was approved by Legal Affairs.|
Funding / sponsorship information
Reorganized content to match other standards documents.
Added note in Scope section about personal data stored on a university IT resource.
|Same, just organized into appropriate sections. |
|11/20/2006||Title changed to "Data Classification Standard" to reflect that this is a requirement. Edited "Guideline" to "Standard" throughout the document and propagated change to all policy documents.|| |
"Data Classification Guidelines"
|10/24/2006||New introduction. Revised so definitions are clearly identifiable and tied to what will be in the Handbook of Operating Procedures. Split example from grid for evaluating data.|| |
Entire document has changed. Examples and lists of data that are protected have not changed.
|Chief Information Security Officer||Approval||Cam Beasley|| |
September 24, 2015