- Consider the following when determining the appropriate data security classification.
- Are there any laws and regulations governing the data or requiring security controls?
- Are there contractual obligations related to the data?
- What is the sensitive nature of the data and the impact to the individual and/or to the University if the confidentiality of the data were negatively affected?
- Based on responses to the above questions, determine if the data fall within Public, Private – Restricted, or Private – Highly Restricted category.
- Once determined, send a request to the University Chief Information Security Officer to update the Data Security Classifications by Type appendix.
- Notify users, as appropriate, of the data security classification.
If working with or generating data, follow the steps below to determine the data security classification and the appropriate security controls.
- Determine if the data used have been previously classified by a data owner.
- If yes, protect the data as required for that classification using the appropriate security level.
- If the data have not been classified or requires clarification, please contact the data owner responsible for similar types of data, the Office of General Counsel or the University Chief Information Security Officer.
- The VP for Information Technology or designate will review any exceptions to the data security classification established by the data owner.