Overview
This standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will facilitate applying the appropriate security controls to university data.
This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.
Published
University data not otherwise identified as Confidential or Controlled data, and:
- The data is publicly available, and
- Such data have no requirement for confidentiality, integrity, or availability
Controlled
University data not otherwise identified as Confidential, and:
- Data not publicly available, and
- Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, place of birth, salary, etc.)
Confidential
University data that is:
- Protected specifically by federal or state law or
- Protected by University of Texas rules and regulations
- Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations
Published
- Research data (at data owner's discretion)
- Information authorized to be available on or through UT Austin's website without EID authentication
- Policy and procedure manuals designated by the owner as public
- Job postings
- University directory information
- Information in the public domain
- Publicly available campus maps
Controlled
- Employee names
- Employee salary information
- Employee performance review information
- Unpublished research data (at data owner's discretion)
- Non-public UT Austin policies and policy manuals
- Internal memos and email
Confidential
- Social Security numbers
- Access device numbers (ISO number, building access code, etc.)
- Biometric identifiers (eye images, full face images, fingerprints, etc.)
- Date of birth
- Driver's license numbers
- Passport and visa numbers
- Personal vehicle information
- Financial information and records (credit card numbers, account numbers, etc.), including non-UT income level and sources
- Information pertaining to the Office of Institutional Relations and Legal Affairs
- Contracts
- Certain management information
- User account passwords
- User Identification Number (UIN)
- Health Information, including Protected Health Information (PHI)
- Health Insurance policy ID numbers
- Export controlled information
- Physical plant and critical infrastructure detail: Engineering, design, and operational information on UT Austin infrastructure
There are additional types of Confidential Data; see below.
Extended List of Confidential Data:
HIPAA
- Patient names, street address, city, county, zip code, telephone / fax numbers
- Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
- PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
- Any other unique identifying number, characteristic, or code
- Payment Guarantor's information
FERPA
- Grades (including test scores, assignments, and class grades)
- Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills
Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:
- Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
- Place of birth
- Electronic mail address
- Specific semesters of registration at UT Austin; UT Austin degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
- Institution attended immediately prior to UT Austin
- ID card photographs for course instructor use
For more information, see the UT Austin FERPA Web Page.
Alumni/Donor Information
- Name
- Family information
- Amount / what donated
- Other non-public gift information
- Telephone / fax numbers, e-mail, URLs
Research Information
- Human subject information. See the Institutional Review Board for more information.
- Sensitive digital research data
- Export Controlled Information – Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions or documentation.
- Classified information relating to defense articles and defense services;
- Information covered by an invention secrecy order;
- Software directly related to a controlled item;
This does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain, nor basic marketing information on function or purpose or general system descriptions of an article or product.
UT Employee Information
- Insurance benefit information
- Family information, home address, and home phone number may be revealed unless restricted by the employee. UT Austin employees can restrict this information in UT Direct.
There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.
Business/Vendor Data
- Contract information (between UT Austin and a third party)
- NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
Server and Application Data Examples
A server is any program that provides services to (programs on) other devices. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
View Server Hardening Guides
An application is any software that handles data at UT Austin.
View Minimum Security Standards for Application Development and Administration
Published
- Public facing web server: All content is available without EID login and doesn't fall under Controlled or Confidential definitions.
- Online maps
- University online catalog displaying academic course descriptions
Bus schedules
Controlled
- Web server with non-Confidential content behind EID login.
- Human Resources application that stores salary information
Confidential
Web server hosting Confidential data such as, but not limited to:
- SSNs
- HIPAA data
- FERPA data
- ITAR data
- PCI data
- Financial data
The policies listed here inform this document; you should be familiar with these policies.
- Information Resources Use and Security Policy
- UT Austin Acceptable Use Policy
- UT System (UTS 165) Information Resources Use and Security Policy
This is not an all-inclusive list of policies and procedures that affect information technology resources.
Revision History
| Version | Date | New | Original |
|---|---|---|---|
| 11/20/2024 | Updated Controlled data criteria to indicate place of birth instead of date of birth | ||
| 05/23/2018 | Updated visual style; credit to Stanford's Risk Classification list. Consolidated with extended list of Confidential Data page. | ||
| 08/24/2015 | Aligned classification names with those of UT System's new convention. | Category I-II-III --> Confidential, Controlled, Published. | |
| 06/24/2013 | Reviewed and fixed broken links | ||
| 06/19/2013 | Converted back to html | ||
| 2/9/2011 | Clarified language to bring consistency across policies and standards regarding systems that store, process, or transmit sensitive data, as well as with industry standards and government regulations such as PCI and HIPAA. | II. Scope:
All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification you determine for your system, you are required to implement appropriate technical security measures to protect the data consistent with the university Minimum Security Standards. Category-I data has more stringent requirements than Categories II and III. All systems require some protective measures. Note: Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
V. Using C-I-A to Help Classify Data for Which You Are Responsible:
To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data. | |
| 11/12/2009 | Added UIN to the extended list of Category-I data classification examples. This change was approved by Legal Affairs. | ||
| 10/1/2009 | Updated visual appearance to new template. Corrected any out of date links to ensure they are pointing to the most current policy documents. | ||
| 9/14/2007 | Changed reference in section IV. Data Classification Standard to "University of Texas System Policies"
Updated template. | "BMP 53"
"University of Texas System Business Procedure Memoranda." | |
| 5/03/2007 | Removed the "Funding / sponsorship information" item from the extended list of Category-I data classification examples. This change was approved by Legal Affairs. | ||
| 4/16/2007 | Funding / sponsorship information
Reorganized content to match other standards documents.
Added note in Scope section about personal data stored on a university IT resource. | Same, just organized into appropriate sections.
New content. | |
| 11/20/2006 | Title changed to "Data Classification Standard" to reflect that this is a requirement. Edited "Guideline" to "Standard" throughout the document and propagated change to all policy documents. | "Data Classification Guidelines" | |
| 10/24/2006 | New introduction. Revised so definitions are clearly identifiable and tied to what will be in the Handbook of Operating Procedures. Split example from grid for evaluating data. | Entire document has changed. Examples and lists of data that are protected have not changed. |
Approvals
| Name | Role | Members | Date |
| Chief Information Security Officer | Approval | Cam Beasley | September 24, 2015 |