University of Minnesota  Administrative Policy

Data Security Classification

Policy Statement

To protect the security and integrity of University of Minnesota data, and comply with applicable state and federal laws and regulations, all University of Minnesota data must be classified appropriately. The University uses data security classification and security level to ensure all data and the systems on which it is stored, accessed, transmitted, or have the ability to impact the security of the data have appropriate security controls to protect the confidentiality, integrity, and availability of the data.

The University's data security classifications are:

  • Private-Highly Restricted – Private-Highly Restricted data are University data that are not public and are available within the institution only to those with a legitimate need to know, and (1) are so highly sensitive that the loss of confidentiality of the data could cause significant personal, institutional, or other harm; (2) by law, regulation, or contract require a high degree of security.
  • Private-Restricted - Private-Restricted data are University data that by law are not public and are available within the institution only to those with a legitimate need to know, but are not so highly sensitive that the loss of confidentiality of the data would cause significant personal, institutional, or other harm, and no law, regulation, or contract require a higher degree of security.
  • Public - Public data are University data that by law are available to the public upon request, and that the loss of the data would not cause significant personal, institutional or other harm.

Data owners are responsible for setting the appropriate data security classification and security level for their various types of data to meet state and federal laws and regulations, specific contractual requirements, and appropriate security controls to protect the confidentiality, integrity and availability of the data. Data owners and data custodians must communicate the data security classifications and security levels to affected groups and individuals.

University community members and data users must follow security controls that are appropriate for the data security classifications and the security level. For electronic data, the controls are specified in Administrative Policy: Information Security.

The Vice President for Information Technology will consult with the appropriate vice president to resolve any ambiguity as to the classification or security level of data by the data owner.

Reason for Policy

University data are valuable assets. Often, University data are subject to state and federal regulations which outline various control requirements to ensure appropriate confidentiality, availability and integrity of the data. This policy provides a foundation for facilitating compliance with the related regulations and adherence to the appropriate security practices.

Contacts

SubjectContactPhoneFax/Email
Primary ContactBrian Dahlin612-625-1505[email protected]
Information SecurityUniversity Chief Information Security Officer612-625-1505[email protected]
See Data Classification Owner/Custodian Table   
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President and Chief Information Officer, Office of Information Technology
  • Chief Information Security Officer, Office of Information Technology
  • Brian Dahlin
    Chief Information Security Officer, Office of Information Technology

Definitions

Compliance Officer

The University designated individual responsible for compliance for a broad type of data (e.g. HIPAA, PCI DSS, FERPA). or data set (e.g. research data) across the University, consistent with University policy and all applicable state and federal laws, and contractual agreements.

Data

Information collected, stored, transferred or reported for any purpose, whether electronically or hard copy.

Data Custodian

A representative of the University who is assigned responsibility to serve as steward of University data in a particular area (e.g., principal investigator (PI)).

Data Owner

Individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research). Where there is a designated University compliance officer, the compliance officer is the data owner.

Data User

Individual, who in the course of carrying out official University business or research, may collect, store, transfer or report data consistent with their function at the institution.

Enterprise System or Application

System or application that is designated by the Vice President for Information Technology or designee as Enterprise. Enterprise Systems or Applications are typically used across one or more campuses.

Family Educational Rights & Privacy Act (FERPA)

Federal law (P.L. 93-568, 2) as amended in 1974 (with updates). Specifies rights and responsibilities of students and colleges regarding access to student data.

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and any updates or amendments to the same.

Information Technology Resource (IT resource)

Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are University owned, leased, operated or provided by the University or otherwise connected to University resources, such as cloud and Software-as-a-Service (SaaS), or any other connected/hosted service provided.

Payment Card Industry Data Security Standards (PCI DSS)

A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Proprietary research

Industry-sponsored research that uses the sponsor's proprietary information or results in intellectual property for which the sponsor has an option to an exclusive license. These sponsors often request restrictions on who can discuss the research and under what circumstances. They also may prohibit publication of confidential company information or ask the researcher to delay publication of research results so that they can review the material for proprietary information or take steps to secure intellectual property rights to possible inventions.

Security Level

A level (high, medium, or low) assigned to data or IT resource. The security level combines the data security classification (confidentiality) with the need to protect the integrity, and availability of the data. The security level, in combination with the data security classification, is used in the Information Security standards to determine whether a security control is required, recommended, or optional at that level.

University Community Members

University faculty, staff, students, and alumni are generally defined as members of the University community. The General Counsel may designate additional groups as members of the University community.

University Data

Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University in support of the University mission.

Responsibilities

Data Custodian

Responsible for following the procedures determined by the data owner to maintain the confidentiality, integrity, and availability of the data consistent with University policy, applicable state and federal laws, and contracts. Responsible for communicating the data security classification and security level to affected groups and individuals.

Data Owner

Accountable for specified information (e.g., a specific business function), broad type of data (e.g., HIPAA, PCI DSS, FERPA), or type of data set (e.g., research data).

Responsible for setting the data security classification and security level to meet state and federal laws and regulations, specific contractual requirements, University policy, and appropriate security controls to protect the confidentiality, integrity, and availability of the data.

Responsible for delegating responsibility to appropriate data custodian(s).

Data User

Responsible for maintaining the confidentiality, integrity, and availability of University data they manage and for following all University policies, procedures, and standards related to the data security classification and security level, including applicable state and federal laws, and contracts.

University Chief Information Security Officer or Designate

Specifies the information security controls for each data security classification and security level. Assists data users in classifying their data that is not currently classified.

Vice President for Information Technology

Consults with the appropriate vice president to resolve any ambiguity as to the classification or security level of data by the data owner.

History

Amended:

June 2017 - Comprehensive Review, Minor Revisions. 1. Revise policy statement section to better define the data security classifications and clarify roles/responsibilities. Data owner replaces data custodian in policy statement, procedures and appendices. Privacy Officers are now called compliance officers and are a type of data owner. 2. Update additional contacts, responsibilities, definitions, contacts and related information sections. 3.Add a frequently asked question related to research.4. Add a Related Laws and Regulations sub-section to Related Information. 5. Change the Identifying Security Level appendix to an administrative procedure. Revise to use examples to help identify the security level.

Effective:

June 2013 - New Policy. 1. Establishes more refined data security classifications, so that data can be accorded the appropriate level of security controls according to the characteristics of the data, with the most sensitive data receiving the highest security. Prior to this policy, there were only two classifications (public and nonpublic). 2. Specifies who is responsible for classifying the data for which they are responsible.