Skip to main content

Policies

Go Search
Home
  
Policies > Wiki Pages > Institutional Data Classification  

Institutional Data Classification

Purpose:

The University will categorize its data according to a common scheme to ensure compliance with federal, state, and local guidelines.

 

Statement:

All University data will be assigned one of the following categories:
 
  • LEVEL 1  Low Sensitivity (“Public”)
  • LEVEL II Moderate Sensitivity (“Non-Public/Internal”)
  • LEVEL III High Sensitivity (“Confidential/Restricted”)

 

Description:
(NB: Use the materials contained in this policy to assess the risks associated with the data that you regularly access)

Assessment Criteria
 
Level One
Legal Requirements
  • Protection of the data will avoid negative publicity and/or low to moderate embarrassment to the University
Risk
  • Loss of personal data with no impact to the person or university
  • Inaccurate general information
  • Short-term loss of reputation
 
Data Examples
  • Published “white pages”
  • Directory information
  • Academic course descriptions
  • Campus maps (non-floor plans)
  • Institutionally published public data
 
Storage Requirements
  • May be stored on local devices, encryption strongly encouraged
 
Level Two
Legal Requirements
  •  Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate to high negative publicity.
 Risk
  • Short-term loss of reputation
  • Short-term loss of research funding
  • Increase in regulatory requirements
  • Short-term loss of dept. services
  • Unauthorized tampering of research data
 
Data Examples
  • Project data
  • Human resources not including sensitive data
  • Research data or results that are not sensitive
  • Business  transactions that do not include sensitive data
  • Student grade books
  • Campus Maps w/Floor Plans
 
Storage Requirements
  • May be stored on local devices, encryption required
  • Storage in campus network share with defined permissions strongly encouraged.
.
.
Level Three
Legal Requirements
  • Protection of data is required by law (e.g. HIPAA, FERPA, GLBA data elements, PCI/PII data), reduces liability, severe negative  publicity, and loss of reputation of University
  
Risk
  • Long-term loss of reputation
  • Long-term loss of research funding
  • Increase in regulatory requirements
  • Long-term loss of critical campus or dept. services
  • Unauthorized tampering of research data
 
Examples
  • Medical records
  • Health related research
  • Personnel info
  • Financial data
  • Credit cards
  • Social security numbers
  • Official transcripts
  • HR Records
  • PCI/PII data
 
 
Storage Requirements
  • May not be stored on local devices under any circumstances
  • Storage in campus network share with defined permission required; encryption of data required
 

Additional Information:

This policy is based on University of Iowa's Institutional Data Classification Guidelines.
 
See: 

 

Approved By: Managers and CIO

 

Date of Origination: 4/15/2008

 

Updated: 5/1/2012

Last modified at 5/2/2012 11:51 AM  by Ramsdell, Nancy