Hero Image

Data Classification

protection-horizontal

 

All forms of UC electronic Institutional Information and IT Resources must be labeled with Protection Levels and Availability Levels in the associated inventory/tracking tools based on the Location/Unit Risk Assessment. The retention period for Institutional Information must also be documented.

Examples of Institutional Information include documents, records, video recordings, databases, log files and all other data in electronic form. Examples of IT Resources include personal and mobile computing devices, mobile phones, printers and other devices (both personally owned and UC-owned) that connect to any UC network.

Protection Levels

UC Institutional Information and IT Resources are classified into one of four Protection Levels based on the level of concern related to confidentiality and integrity. P4 requires the most security controls and P1 requires a minimal set of controls. 

Level Description Example

P1 - Minimal
Public

 Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient.
  • Public-facing informational websites.
  • Public event calendars.
  • Hours of operation.
  • Parking regulations.
  • Press releases.

P2 - Low
Internal

 Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group.
  • Routine e-mail not containing P3 or P4 information.
  • Calendar information not containing P3 or P4 information.
  • Meeting notes not containing P3 or P4 information.
  • Research using publicly available data.
P3 - Moderate
Proprietary		 Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation related to a breach or compromise; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk.
  • Student records (FERPA).
  • Certain types of Personally Identifiable Information (PII) – not classified as P4.
  • Certain special services records.
  • Security camera recordings.
  • Building entry records from automated card key system.
  • Research results and supporting data from a 10- year study (not containing P4 information).
  • Medical devices supporting diagnostics not containing P4 information).
  • Industrial Control Systems affecting operations.
P4 - High
Statutory		 Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to: the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation related to a breach or compromise, the overall operation of the Location or essential services.
  • Protected Health Information (patient records).
  • Credit card data.
  • Controlled Unclassified Information (CUI).
  • Financial aid information.
  • Certain types of Personally Identifiable Information (PII)
  • Large collections or special sensitivity to privacy.
  • Human subject research data with individual identifiers.
  • Medical devices supporting care.
  • Industrial Control Systems affecting life and safety.

Availability Levels

All UC Institutional Information and IT Resources are also classified into one of four Availability Levels based on the level of business impact their loss of availability or service would have on UC. Compromises to A4 information or resources would cause the highest level of impact; compromises to A1 would cause a minimal level of service impact. A4 requires the most security controls, while A1 requires fewer security controls.

Level Description Example
A1 - Minimal Loss of availability poses minimal impact or financial loss.
  • Music streaming system.
A2 - Low Loss of availability may cause minor losses or inefficiencies.
  • Department website.
  • Front desk sign-in system.
A3 - Moderate Loss of availability would result in moderate financial losses and/or reduced customer service.
  • Electronic sign board system.
  • Public website.
  • Time reporting system.
  • Building management system.
  • Clinical trial management system.
  • Medical devices supporting diagnostics.
  • Industrial Control Systems affecting operations.
A4 - High Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level
  • Medical records system.
  • Directory services – SSO.
  • Border network devices.
  • E-mail.
  • Building access system.
  • Medical devices supporting care.
  • Industrial Control Systems affecting life and safety.

More information on UC data classification: https://security.ucop.edu/files/documents/policies/institutional-information-and-it-resource-classification-standard.pdf