Printed on: 03/10/2026. Please go to policy.umn.edu for the most current version of the document.
University of Minnesota  Procedure

Identifying Security Level of an IT Resource

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Questions?

Please use the contact section in the governing policy.

Leave Feedback

Overview

This procedure assists University community members and data users in identifying the appropriate Security Level for an Information Technology (IT) Resource that stores, processes, transmits, accesses, or has the ability to impact the security of the data. This procedure applies to all University owned devices, enterprise systems, vendor solutions (including cloud products and SaaS), and personally-owned devices used for University business.

The University Security Levels of High, Medium, and Low align to security requirements in Administrative Policy: Information Security for the IT Resource used to store, transmit, or process University data. Security Level is determined based on a combination of the Data Classification confidentiality, integrity, and technology availability needs.

Examples of IT Resources that require a defined security level include but are not limited to:

  • Any system, application, or database with multiple users. Examples include: workstation (e.g., Windows, Mac computer) used by multiple individuals, Software as a Service (SaaS), server (e.g., application, database, web, print, authentication, virtual), medical device, storage area network (SAN), network attached storage (NAS), software application, database.
  • Any device or application primarily used by a single person at a time. Examples: workstation (e.g., Windows, Mac computer), laptop, tablet/pad, mobile device (e.g., smart phone), software application, and database.
  • Network or network device: network (e.g., wired, WiFi), router, switch, firewall, virtual private network (VPN).

Process

  1. Follow the Classifying Data procedure See Administrative Procedure: Classifying Data.

    Determine the Data Classification (Private-Highly Restricted, Private-Restricted, or Public) of the data you are working with. Accessing an individual's own personal data, even on a University system, is not a factor in determining Data Classification. See Appendix: Data Classifications by Type.

    IT Resources with multiple Data Classification levels must use the highest data classification level to determine security level. In general, Private-Highly Restricted data uses the High security level.

  2. Identify the Security Level.

    Determine the Security Level (High, Medium, Low) of the IT Resource using the tables below. IT Resources that fit multiple security levels must use the highest security level.

    For research data, see guidance provided by Liberal Arts Technologies & Innovation Services (LATIS).

  3. Review the Security Level with the Data Owner.

    The data owner may decide that a different security level is more appropriate. The data owner may be responsible for obtaining approvals from relevant accountable parties. See Appendix: Data Classification Owner/Custodian Table. See below for compliance requirements. Other factors to consider include integrity, availability, and volume of data. For example: for non-protected health information that is considered sensitive and partially de-identified, the data owner may increase the security level to High.

For specific compliance areas (e.g., HIPAA, PCI DSS, GLBA, FERPA, FISMA), additional controls beyond those specified in the Administrative Policy: Information Security standards may apply. Contact the appropriate Compliance Officer for details.

IT Resource with Private-Highly Restricted Data

Security Level
Examples
High
  • All cases where Private-Highly Restricted data is involved (e.g., HIPAA, PHI, PCI DSS, SSN).
  • Used for medical treatment, research (human or non-human studies), or diagnosis.
  • Life safety system or application. Loss or interruption of service puts human or animal life at risk.
  • Used to administer (manage or access) a single-user or multi-user system that is classified as security level High.
Medium
  • Not allowed
Low
  • Not allowed

IT Resource with Private-Restricted Data

Security LevelExamples
High
  • Enterprise system, application, or database with Private-Restricted data.
  • Life safety system or application. Loss or interruption of service puts human or animal life at risk.
  • Requires additional protective measures (e.g., to meet the terms of a contract or grant or other agreement or under laws and regulations associated with research data).
  • Critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service.
  • Official repository or official source of the record for the data. (e.g., test scores).
  • Stores or accesses a large volume of Private-Restricted data (e.g., final grades, donor/gift data).
  • Used to administer (manage or access) a single-user or multi-user system that is classified as security level High.
Medium
  • Critical to the unit’s mission or operation.
  • Used for research where the terms of a contract or grant or other agreement or under laws and regulations associated with research data are met by security level Medium.
  • IT Resource with significant or extensive use within the unit.
  • Accesses, stores or transmits Private-Restricted data (e.g., FERPA).
  • Used to administer (manage or access) a single-user or multi-user system that is classified as security level Medium.
  • Data owner approves the use of this security level for a system, application, or database.
  • Critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service.
Low
  • Data owner approves the use of this security level for a system, application, or database.

IT Resource with Public Data

Security LevelExamples
High
  • Life safety system or application. Loss or interruption of service puts human or animal life at risk.
  • Requires additional protective measures (e.g., to meet the terms of a contract or grant or other agreement or under laws and regulations associated with research data).
  • Used to administer (manage or access) a single-user or multi-user system that is classified as security level High.
Medium
  • Enterprise system, application, or database with Public data.
  • Critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service.
  • IT Resource with significant or extensive use within the unit.
  • IT Resources used for research where the terms of a contract or grant or other agreement or under laws and regulations associated with research data are met by security level Medium.
  • Stores or accesses a large volume of Public data.
  • Official repository or official source of the record for the data. (e.g., professional accreditations, training transcript).
  • Used by faculty, staff, contractors, etc. to conduct University business.
  • System or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level Medium.
  • Data owner approves the use of this security level for a system, application, or database.
Low
  • Data owner approves the use of this security level for a system, application, or database.
  • Device or application used to view Public data.
  • Device or application used in a technology/academic computer lab used for public data.