Data Classification Standards
Context for Data Classification Standards
The University of Alaska (UA) generates, acquires, and maintains a large number of electronic records. In addition, UA often enters into relationships with third parties who maintain electronic records and information associated with these relationships. UA, as well as its affiliates, are often legally required to limit access to, distribution of, and/or disclosure of electronic records and information.
Proper protection of data is determined by a combination of compliance requirements mandated by Board of Regents policy, State and Federal statutes and regulations, institutional risk management policies, and accepted best practices. The approach taken at UA is to first adopt a classification scheme for all data and then establish appropriate measures to protect it. A separate document will recommend best practices and measures to provide appropriate protection for each class of data.
Data classification standards help the people who own and maintain information resources and systems to determine the sensitivity of the data within those systems. These standards should be read and applied in conjunction with the UA Information Systems Security Policy (TBD) and the UA Minimum Computer Security Standards (TBD) (http://www.alaska.edu/itsecurity/standards). These three documents are designed to prevent the following:
• Unauthorized internal access to electronic information
• Unauthorized external access to electronic information
• Illegal or otherwise inappropriate use of UA electronic information
• Loss, corruption, or theft of UA electronic information
This classification standard applies to all data associated with UA business; to any other data caches located at any UA entity and covered by statutory or regulatory compliance requirements; and to data caches on the information systems of UA affiliates. Data associated with UA-hosted research that represent significant intellectual property interests are subject to this standard and may be subject to other specific protective requirements.
Questions about the applicability of this standard can be forwarded to the UA Chief Information Security Officer for review by the Compliance Assurance and System Security Council (CASS).
The target audience for these standards includes all individuals who have access to and use UA information systems and data, particularly UA systems owners and designated data custodians who have special responsibilities under the standards.
Data Classification Categories
The nature of any particular data set largely determines what measures and operational practices need to be applied to protect it. To help clarify the specific minimum requirements for UA data security, three classes of data are defined. The people who are accountable for protecting the data must understand and inventory their data assets according to these categories.
- Restricted Data: Data classified as restricted maybe subject to disclosure laws and warrant careful management and protection to ensure its integrity, appropriate access, and availability. This information is considered private and must be guarded from disclosure. Unauthorized exposure of this information could contribute to ID theft or financial fraud and violate State and Federal law. Unauthorized disclosure of restricted data could adversely affect the university or the interests of individuals and organizations associated with the university.
- Internal Use Data: This class encompasses information that is generally not available to parties outside the University of Alaska community such as non-directory listings, minutes from non-confidential meetings, and internal websites. Public disclosure of this information would cause minimal trouble or embarrassment to the institution. The university may have a duty to make this data available on demand under the Alaska Public Record Act (AS 40.25.110).
- Public Data: Public data is data published for public use or has been approved for general access by the appropriate UA authority.
In most cases categorizing the data will be obvious. When in doubt about how a particular data element or data set is classified, data custodians should use caution by defaulting to the higher class of the choices involved. In other words, it is better to err on the side of privacy and security protection until clarification is obtained.
The source data used to produce important reports, such as UA financial records, are treated as restricted or internal use even though the reports created from them are treated as public information. Data classification questions may be forwarded to the UA Chief Information Security Officer for review by the Compliance Assurance Systems Security Council (CASS).
The table below clarifies the nature of each data category and provides criteria for determining which classification is appropriate for a particular set of data. When using this table, a positive response for the most restrictive (highest risk) category in any row is sufficient to place that set of data into that category.
|Data Classification Categories|
|Legal Requirements||Protection of data is required by law or best practices.||UA has best practice (due care) reasons to protect data.||Data approved for general access by appropriate UA authority.|
|Concequences of Exposure||The University’s reputation is tarnished by public reports of its failures to protect restricted records of students, employees, clients, or research. Such failure may subject the University to litigation.||Data is disclosed unnecessarily or in an untimely fashion, which causes harm to UA business interests or to the personal interests of an individual.||Confusion is caused by corrupted information about enrollment and tuition that is displayed on the official UA web site.|
Examples of Specific Data
|● Protected data when associated with a health records|
● Individual student records
● Research – EAR, export controls, ITAR, TCP, safeguarding confidential information
|● Employee Internet usage|
● Specific technical security measures
● UA employee business-related email (including student employees, but only their work-related email)
● Location of assets
|● Campus promotional material|
● Annual reports
● Press statements
● Job titles
● Job descriptions
● Employee work phone numbers (with special exceptions)