One West University Boulevard, Brownsville, Texas 78520 | 956-882-8200

Data Classification Standard

Purpose

Scope

Audience

Data Classification Standard

Using C-I-A to Help Classify Data for Which You Are Responsible

Non-Compliance and Exceptions

Related UTB/TSC Policies 


I. Purpose


This standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will facilitate applying the appropriate security controls to university data.

The objective of this standard is to assist data stewards, IT owners and custodians in the assessment of information systems to determine what level of security is required to protect data on the systems for which they are responsible. The standard divides data into three categories:

  • Category A
  • Category B
  • Category C

This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university’s data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.

Top

II. Scope


All university data stored on university resources or other resources where university business occurs must be classified into one of the three categories. Based on the data classification you determine for your system, you are required to implement appropriate technical security measures to protect the data consistent with the university Minimum Security Standards. Category A data has more stringent requirements than Categories B and C. All systems require some protective measures.

Note: Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.

Top

III. Audience


All faculty, staff, student employees, contractors, and vendors working with UTB/TSC data.

Top

IV. Data Classification Standard


To classify your data, you must start by understanding what the classifications are. There are specific laws and regulations that govern some kinds of data. Additionally, there are situations where you must consider whether the confidentiality, integrity, or availability of the data is a factor. Finally, consider that you may be storing information on more than one system, such as moving data between computers by CD or flash drive, for example. If you rate only your primary computer as Category A, but not your secondary computer or the transfer media, the secondary computer could put data at risk because it won't be well protected.

Category A Data


University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Policies; specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) See the extended list of Category A data classification examples for specifics.

 

Examples of How Data Can Be Lost Impact of Category A Data Loss
  • Laptop or other data storage system stolen from car.
  • Research Assistant accesses system after leaving research project because passwords aren't changed.
  • Unauthorized visitor walks into unlocked lab and steals equipment or accesses unsecured computer.
  • Unsecured application on a networked computer is hacked and data stolen.
  • Long-term loss of research funding from granting agencies.
  • Long-term loss of reputation. Published research called into question because data is unreliable.
  • Unauthorized tampering of research data.
  • Increase in regulatory requirements.
    Long-term loss of critical campus or departmental service.
  • Individuals put at risk for identity theft.

Protect your Category A data by applying the appropriate Minimum Security Standards.

Category B Data


University data not otherwise identified as Category A data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

Examples of How Data Can Be Lost Impact of Category B Data Loss

In addition to the above scenarios...

  • Staff member wanting to be helpful releases information they are not authorized to share.
  • Short-term loss of reputation.
  • Short-term loss of research funding.
  • Short-term loss of critical departmental service.
  • Unauthorized tampering of research data.
  • Individuals put at risk for identity theft.

Protect your Category B data by applying the appropriate Minimum Security Standards.

Category C Data


University data not otherwise identified as Category A or Category B data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.

Examples of How Data Can Be Lost Impact of Category C Data Loss

See the above scenarios.

Loss of use of personal workstation or laptop.
Loss of personal data with no impact to the university.

Protect your Category C data by applying the appropriate Minimum Security Standards.

Top

V. Using C-I-A to Help Classify Data for Which You Are Responsible


If you are evaluating data you are responsible for and it doesn't clearly fall under the laws and regulations listed in the definition, you can apply the Confidentiality, Integrity, and Availability (CIA) criteria. (Most of the legal and regulatory requirements are driven by confidentiality and integrity concerns.)

  • Confidentiality: The need to strictly limit access to data to protect the university and individuals from loss.
  • Integrity: Data must be accurate, and users must be able to trust its accuracy.
  • Availability: Data must be accessible to authorized persons, entities, or devices.

To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data.

Data Classification Weighting
    Category A Category B Category C
Need for Confidentiality Required (High) Recommended (Medium) Optional (Low)
  AND/OR AND/OR AND/OR
Need for Integrity Required (High) Recommended (Medium) Optional (Low)
  AND/OR AND/OR AND/OR
Need for Availability Required (High) Recommended (Medium) Optional (Low)

Once you classify data you are responsible for, review the university Minimum Security Standards. These standards describe the appropriate steps for protecting data based on the data classification.

Data Classification Examples


This section illustrates how the ISO classifies some familiar data using the CIA (Confidentiality, Integrity, Availability) criteria.

Category A Data: Web Central


Web Central is considered Category A data because it is governed by a service-level agreement that dictates a high level of uptime.

  • Need for Confidentiality is optional (low)
  • Need for Integrity is recommended (medium)
  • Need for Availability is required (high)

Since at least one of the CIA conditions is required (high), in this case availability, Web Central is considered Category-A data.

Category A Data: Digital Research Data with a Funding Agency Agreement


Digital research data is required to be confidential (high) due to various factors, including human subject data, requirements of granting or funding agency agreements, etc. Integrity of the research is required (high) because the data must be accurate and free from errors to be credible. Availability is recommended (medium), because The University of Texas at Brownsville is not necessarily in any danger or in violation of any law if the data is unavailable for a period of time.

  • Need for Confidentiality is required (high)
  • Need for Integrity is required (high)
  • Need for Availability is recommended (medium)

Category B Data: Large Numbers of E-mail Addresses


University e-mail addresses are considered Category B data. By law they are public information and are published in the university directory (unless restricted by individuals). However, the directory is not intended to be used to harvest e-mail addresses. People must submit open records requests to get e-mail addresses.

  • Need for Confidentiality is optional (low)
  • Need for Integrity is recommended (medium)
  • Need for Availability is recommended (medium)

You may ask yourself why integrity is only recommended and not required. In this case, we are not talking about the source system that stores official e-mail addresses, but the release of that information.

Category C Data: Professor's Blog


A blog is by its very nature designed to be shared with the world. The confidentiality requirement is therefore optional (low). If the contents of the blog are changed, there would be little to no impact on the ability of the department or the university to carry out their missions. The need for integrity is therefore optional (low). The need for availability is also optional (low) because, should the blog be taken offline for a period of time, the only primary people affected would be the readers of the blog. The department and university should be able to carry on business as usual, while the blog was restored or recreated.
Summary of a professor's blog hosted on a departmental server:

  • Need for Confidentiality is optional (low)
  • Need for Integrity is optional (low)
  • Need for Availability is optional (low)

Since at all of the CIA conditions are optional (low), a professor's blog hosted on a departmental server is considered Category C data and should be protected using the required and recommended standards for Category C data.

VI. Non-Compliance and Exceptions


Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

UTB/TSC employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Brownsville employees are required to comply with state laws and regulations.

Top

VII. Related UTB/TSC Policies, Procedures, Best Practices and Applicable Laws


The policies and practices listed here inform the system hardening procedures described in this document; you should be familiar with these documents. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)

UT System (UTS 165) Information Resources Use and Security Policy

Data Classification HOOP Policy 10.2.21 

Top

 

For comments and questions, please contact the Webmaster.