Institutional Data Classification Guidelines
Classifying Institutional Data
Overview
The Institutional Data Classification Guidelines are a tool provided to help Business Owners assess information systems to determine the sensitivity of the data within a system. It is likely that institutional data will be distributed across processing units both within and outside of the university. Institutional data supports the mission and operations of the University, and is considered essential. Its proper classification and management must be ensured to comply with legal and administrative requirements. The guidelines divide data into three categories:
- LEVEL 1 Low Sensitivity (“Public”)
- LEVEL II Moderate Sensitivity (“Non-Public/Internal”)
- LEVEL III High Sensitivity (“Confidential/Restricted”)
All institutional data must be categorized into one of the three categories above. Business Owners are responsible for categorizing their data appropriately. Based on the data classification level determined, there will be different security practices required to protect the data. This protection can include encryption, access restrictions, access auditing and other security practices. Use the following guidelines to determine which data category is appropriate.
Assessment Criteria
Consider the following examples and scenarios when classifying Institutional Data:
|
LEVEL I Low Sensitivity |
LEVEL II Moderate level of sensitivity |
LEVEL III Highest level of sensitivity |
Legal Requirements |
Protection of the data will avoid negative publicity and/or low to moderate embarrassment to the University |
Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate to high negative publicity |
Protection of data is required by law (e.g. HIPAA, FERPA, GLBA data elements), reduces liability, severe negative publicity, and loss of reputation of University |
Risk
|
|
|
|
Data Examples |
|
|
|
Classifying Institutional Data
If you are uncertain as to how you should classify the data stored on or manipulated by your systems, please refer to the following matrix. The matrix shows the three criteria that are used to define the data category for a given system or set of data. The criteria are Confidentiality, Integrity, and Availability, defined as follows:
- Confidentiality refers to the privacy of an information asset. Specifically, confidentiality can be defined as which people, under what conditions, are authorized to access an information asset.
- Integrity relates to the trustworthiness of data. There are two primary properties to consider when evaluating it. First, the notion that an asset should be trusted; there is an expectation that authorized users will only modify an asset in appropriate ways. The second aspect of integrity is when data is damaged, or incorrectly altered by authorized or unauthorized users, you must consider how important it is that the data be restored to a trustworthy state with minimum loss.
- Availability describes the importance of information access by an authorized person, entity, service, or device when it’s needed, and the impact on the institution if its not available. As a general rule, the more time critical data is, the higher its availability ranking will be.
These criteria should be used to determine which data classification is appropriate. A positive response to the highest level in ANY row is sufficient to place the data into that respective classification. Use this chart to select the appropriate classification level for each of the following categories of confidentiality, integrity, and availability.
Data Classification Weighting |
|||
|
LEVEL I Low Sensitivity
|
LEVEL II Moderate Sensitivity
|
LEVEL III High Sensitivity
|
Need for Confidentiality |
Low Optional Public |
Medium
Recommended Non-Public or Internal |
High Required Confidential/Restricted
|
|
AND/OR |
AND/OR |
AND/OR |
Need for Integrity |
Low Risk
Optional Easily Reproducible
|
Medium Risk Recommended Internally Trusted
|
High Risk Required Official or Highly Trusted Data
|
|
AND/OR |
AND/OR |
AND/OR |
Need for Availability |
Low Impact Optional Informational or Non-Critical |
Medium Impact Recommended Normal Services
|
High Impact
Required Critical or Campus-wide service
|
Examples
This section illustrates how to classify some familiar data using the CIA (Confidentiality, Integrity, Availability) criteria.
Caveat: It should be noted that the ratings listed in the examples below are all based on the individual information asset. While it is important to identify and rate an asset on an individual basis, it is equally important to look at the other information assets that may be affected by a loss in confidentiality, integrity, or availability in the asset being rated.
Online Library Catalog: LEVEL II Data (Moderate Sensitivity)
The online library catalog has an optional (low) need for confidentiality since the catalog is public and we want students, faculty, staff and visitors to be able to use the library resources. The need for integrity is recommended (medium risk) because we do not want the catalog to be changed, whether by accident or maliciously. The need for availability is recommended (medium impact) because there is no paper alternative and the University of Iowa probably wouldn’t experience a long-term loss of reputation and a long-term loss of research funding if the library catalog is unavailable for a short period of time.
Summary data classification of online library catalog:
- Need for Confidentiality is optional (low)
- Need for Integrity is recommended (medium risk)
- Need for Availability is recommended (medium impact)
Since at least one of the CIA conditions is recommended in this case both Integrity and Availability, the online library catalog is classified as LEVEL II data and should be protected appropriately.
Faculty Grade Books: LEVEL II Data (Moderate Sensitivity)
The grade books faculty maintain with student id’s and grades has a recommended (medium) need for confidentiality since only the official records, transcripts are highly sensitive. The need for integrity is recommended (medium risk) because we do not want the grades to be changed, whether by accident or maliciously. The need for availability is recommended (medium impact) because there is no paper alternative and the University of Iowa probably wouldn’t experience a long-term loss of reputation and a long-term loss of research funding if an individual faculty members grade book is unavailable for a short period of time.
Summary data classification of faculty student grades (grade books):
- Need for Confidentiality is recommended (medium)
- Need for Integrity is recommended (medium risk)
- Need for Availability is recommended (medium impact)
Since at least one of the CIA conditions is recommended in this case Confidentiality, Integrity and Availability, faculty grade books are classified as LEVEL II data and should be protected appropriately.
Student Records: LEVEL III Data (High Sensitivity)
The records faculty maintain about students with disciplinary issues or records containing social security numbers have a required need for confidentiality (high) since this information must never be publicly exposed due to federal laws like FERPA. The need for integrity is recommended (medium risk) because we do not want these records to be changed, whether by accident or maliciously. The need for availability is recommended (medium impact) because there is likely no paper alternative and the University of Iowa probably wouldn’t experience a long-term loss of reputation and a long-term loss of research funding if an individual faculty members student records were unavailable for a short period of time.
Summary data classification of faculty student grades (grade books):
- Need for Confidentiality is required (high)
- Need for Integrity is recommended (medium risk)
- Need for Availability is recommended (medium impact)
Since at least one of the CIA conditions is required, in this case Confidentiality, student records are classified as LEVEL III data and should be protected appropriately.
Research Data: LEVEL III Data (High Sensitivity)
Sensitive research data is required to be confidential (high) due to various factors, including human subject data, intellectual property rights, large grant funding, etc. Integrity of the research is required (high risk) because the data must be accurate and free from errors. Availability is recommended (medium impact), because The University of Iowa is not necessarily in any danger or in violation of any law if the data is unavailable for a period of time.
Summary of sensitive research data:
- Need for Confidentiality is required (high)
- Need for Integrity is required (high risk)
- Need for Availability is recommended (medium impact)
Since at least one of the CIA conditions is required (high), in this case both Confidentiality and Integrity, research data is classified as LEVEL III data and should be protected appropriately.
Professor's Blog: LEVEL I Data (Low Sensitivity)
A blog is by its very nature designed to be shared with the world. The confidentiality requirement is therefore optional (low). If the contents of the blog are changed, there would be little to no impact on the ability of the department or the university to carry out their missions. The need for integrity is therefore optional (low risk). The need for availability is also optional (low impact) because, should the blog be taken offline for a period of time, the only primary people affected would be the readers of the blog. The department and university should be able to carry on business as usual, while the blog was restored or recreated.
Summary of a professor's blog hosted on a departmental server:
- Need for Confidentiality is optional (low)
- Need for Integrity is optional (low risk)
- Need for Availability is optional (low impact)
Since at all of the CIA conditions are optional (low), a professor's blog hosted on a departmental server is classified as LEVEL I data and should be protected appropriately.
Conclusion
The confidentiality, integrity, and availability ratings are useful tools in assessing the risk to information assets for which you are responsible. It helps create a better understanding of which assets are the most critical, as well as allowing you to prioritize and develop effective actions to protect the assets most at risk. Remember, some institutional data, particularly LEVEL III (High Sensitivity) data, must be protected according to specific criteria outlined in the University’s Institutional Data Access Policy.
View the Data Handling Requirments in the Institutional Data Access Policy. This document describes the minimum requirements for protecting systems based on the type of data they hold.
Adapted from “Classification of Data” (http://www.stanford.edu/group/security/classification/classification_of_data.html), with permission from Stanford University, Stanford, California 94305-4102.