Data Classification
All forms of UC electronic Institutional Information and IT Resources must be labeled with Protection Levels and Availability Levels in the associated inventory/tracking tools based on the Location/Unit Risk Assessment. The retention period for Institutional Information must also be documented.
Examples of Institutional Information include documents, records, video recordings, databases, log files and all other data in electronic form. Examples of IT Resources include personal and mobile computing devices, mobile phones, printers and other devices (both personally owned and UC-owned) that connect to any UC network.
Protection Levels
UC Institutional Information and IT Resources are classified into one of four Protection Levels based on the level of concern related to confidentiality and integrity. P4 requires the most security controls and P1 requires a minimal set of controls.
Level | Description | Example |
P1 - Minimal |
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. |
|
P2 - Low |
Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. |
|
P3 - Moderate Proprietary |
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation related to a breach or compromise; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. |
|
P4 - High Statutory |
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to: the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation related to a breach or compromise, the overall operation of the Location or essential services. |
|
Availability Levels
All UC Institutional Information and IT Resources are also classified into one of four Availability Levels based on the level of business impact their loss of availability or service would have on UC. Compromises to A4 information or resources would cause the highest level of impact; compromises to A1 would cause a minimal level of service impact. A4 requires the most security controls, while A1 requires fewer security controls.
Level | Description | Example |
A1 - Minimal | Loss of availability poses minimal impact or financial loss. |
|
A2 - Low | Loss of availability may cause minor losses or inefficiencies. |
|
A3 - Moderate | Loss of availability would result in moderate financial losses and/or reduced customer service. |
|
A4 - High | Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level |
|
More information on UC data classification: https://security.ucop.edu/files/documents/policies/institutional-information-and-it-resource-classification-standard.pdf