Printed on: 10/15/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
Procedure

Identifying Security Level

Administrative Procedure

Overview

This procedure assists University community members and data users in identifying the appropriate security level for an IT resource that stores, processes, transmits, accesses, or has the ability to impact the security of the data. This includes all University owned devices, vendor solutions, and personally owned devices used for University business. The security level combines the data security classification (confidentiality) with the need to protect the integrity, and availability of the data. The security levels are High, Medium, or Low. The security level is used in the Information Security standards to determine whether a security control is required, recommended, or optional at that level.

Note that for specific compliance areas (e.g., HIPAA, PCI DSS, FISMA) additional controls beyond those specified in the standards may apply. Contact the appropriate Compliance Officer for details.

Process

  1. Identify the type of IT Resource.

    Determine the type of IT Resource used to access, store, or process the data.

    1. Multi-user: Any system or application with multiple users. Examples include: workstation (e.g., Windows, Mac computer) used by multiple individuals, server (e.g., application, database, web, print, authentication, virtual), medical device, storage area network (SAN), network attached storage (NAS), software application, database. Devices used by multiple individuals sequentially may use this category or use the single-user system category when appropriate.
    2. Single-user: Any device or application primarily used by a single person at a time. Examples include: workstation (e.g., Windows, Mac computer), laptop, tablet/pad, mobile device (e.g., smart phone), software application, and database. Devices used by multiple individuals sequentially may use this category or use the multi-user system category when appropriate.
    3. Network or network device: network (e.g., wired, WiFi), router, switch, firewall, virtual private network (VPN).
  2. Identify the Data Security Classification.

    Determine the data security classification (Private- Highly Restricted, Private- Restricted, or Public) of the data you are working with. Accessing an individual’s own personal data, even on University system, is not a factor in determining data security classification.

    IT Resources with multiple data classification levels must use the highest data classification level to determine security level. In general, Private-Highly Restricted data uses the High security level.

  3. Identify the Security Level.

    The tables below provide examples of IT Resource that fall within each security level. Use the tables to find an example similar to yours. For those that are not included, consult University Information Security.

    IT Resources that fit multiple security levels must use the highest security level.

    For research data, see guidance provided by Liberal Arts Technologies & Innovation Services (LATIS).

  4. Review the Security Level with the Data Owner.

    The data owner may decide that a different security level is more appropriate. Other factors to consider include integrity, availability, or sensitivity of the data, and volume of data. For example, for non-protected health information that is considered sensitive and partially de-identified, the data owner may increase the security level to High.

Security Level Tables

The following tables provide examples of IT Resources in each security level.

  1. Multi-user – primarily used by multiple users.
    Type of IT Resource: Multi-user with Private-Highly Restricted Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Private - Highly Restricted All cases where Private- Highly Restricted data is involved (e.g., HIPAA, PHI, PCI DSS, SSN). Data owner approves the use of this security level for a system, application, or database.  
    System or application is used for medical treatment, research (human or non-human studies), or diagnoses.    
    Life safety system or application. Loss or interruption of service puts human or animal life at risk.    
    System or application is used to administer (manage or access) a single-user or multi-user system.    
    Type of IT Resource: Multi-user with Private-Restricted Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Private - Restricted Enterprise system, application, or database with Private- Restricted data. System, application, or database is critical to the unit’s mission or operation. Data owner approves the use of this security level for a system, application, or database.
    Life safety system or application. Loss of application/service poses significant risk to human or animal life safety. System, application, or database is used for research where the terms of a contract or grant or other agreement or under laws and regulations associated with research data are met by security level Medium.  
    System, application, or database that requires additional protective measures (e.g., to meet the terms of a contract or grant or other agreement or under laws and regulations associated with research data). System, application, or database with significant or extensive use within the unit.  
    System, application, or database is critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service. System or application accesses, stores or transmits Private- Restricted data (e.g., FERPA).  
    System, application, or database is the official repository or official source of the record for the data. (e.g., test scores). System is used to administer (manage or access) a single-user or multi-user system that is classified as security level Medium.  
    System, application, or database stores or accesses a large volume of Private- Restricted data (e.g., final grades, student IDs). Data owner approves the use of this security level for a system, application, or database.  
    System is used to administer (manage or access) a single-user or multi-user system that is classified as security level High.    
    Type of IT Resource: Multi-user with Public Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Public Life safety system or application. Loss or interruption of service puts human or animal life at risk. Enterprise system, application, or database with Public data. Data owner approves the use of this security level for a system, application, or database.
    Device, application, or database that requires additional protective measures (e.g., to meet the terms of a contract or grant or other agreement or under laws and regulations associated with research data). System, application, or database is critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service.  
    System or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level High. System, application, or database is critical to the unit’s mission or operation.  
      System, application, or database is used for research where the terms of a contract or grant or other agreement or under laws and regulations associated with research data are met by security level Medium.  
      System or application stores or accesses a large volume of Public data.  
      System, application, or database is the official repository or official source of the record for the data. (e.g., professional accreditations, training transcript).  
      System, application, or database is used by faculty, staff, contractors, etc. to conduct University business.  
      System or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level Medium.  
      Managed system (e.g., uses active directory).  
      Data owner approves the use of this security level for a system, application, or database.  
  2. Single-user – primarily used by one person at a time.
    Type of IT Resource: Single-user with Private-Highly Restricted Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Private- Highly Restricted All cases where Private- Highly Restricted data is involved (e.g., HIPAA, PHI, PCI DSS, SSN). Data owner approves the use of this security level for a device, application, or database.  
    Device or application is used for medical treatment, research (human or non-human studies), or diagnoses. (e.g., tablet).    
    Life safety device or application. Loss or interruption of service puts human or animal life at risk.    
    Device or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level High.    
    Type of IT Resource: Single-user with Private- Restricted Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Private- Restricted Enterprise device, application, or database with Private- Restricted data. Device, application, or database is critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service. Data owner approves the use of this security level for a device, application, or database.
    Life safety device or application. Loss or interruption of service puts human or animal life at risk. Device, application, or database is critical to the unit’s mission or operation.  
    Device, application, or database that requires additional protective measures (e.g., to meet the terms of a contract or grant or other agreement or under laws and regulations associated with research data). Device, application, or database is used for research where the terms of a contract or grant or other agreement or under laws and regulations associated with research data are met by security level Medium.  
    Device, application, or database is the official repository or official source of the record for the data. (e.g., test scores). Device, application, or database with significant or extensive use within the unit.  
    Device, application, or database stores or accesses a large volume of Private- Restricted data (e.g., final grades, student IDs). Device or application accesses, stores or transmits Private- Restricted data (e.g., FERPA).  
    Device or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level High. Device or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level Medium.  
      Data owner approves the use of this security level for a device, application, or database.  
    Type of IT Resource: Single-user with Public Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Public Life safety device or application. Loss or interruption of service puts human or animal life at risk. Enterprise device, application, or database with Public data. Data owner approves the use of this security level for a device, application, or database.
    Device, application, or database that requires additional protective measures (e.g., to meet the terms of a contract or grant or other agreement or under laws and regulations associated with research data). Device, application, or database is critical to the University’s mission of Research and Discovery, Teaching and Learning, and Outreach and Public Service. Stand-alone device or application is used to view Public data.
    Device or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level High. Device, application, or database is critical to the unit’s mission or operation. Stand-alone device used in a technology/academic computer lab.
      Device, application, or database is used for research where the terms of a contract or grant or other agreement or under laws and regulations associated with research data are met by security level Medium.  
      Device or application stores or accesses a large volume of Public data.  
      Device, application, or database is the official repository or official source of the record for the data. (e.g., professional accreditations, training transcript).  
      Device, application, or database is used by faculty, staff, contractors, etc. to conduct University business.  
      Device or application is used to administer (manage or access) a single-user or multi-user system that is classified as security level Medium.  
      Managed device (e.g., uses active directory).  
      Data owner approves the use of this security level for a device, application, or database.  
  3. Network or network device
    Network or network device with or supporting Private- Highly Restricted Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Private- Highly Restricted All cases where Private- Highly Restricted data is involved (e.g., HIPAA, PHI, PCI DSS, SSN). Data owner approves the use of this security level for a network.  
    Life safety system or application. Loss or interruption of service puts human or animal life at risk.    
    Type of IT Resource: Network or network device with or supporting Private- Restricted Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Private- Restricted Life safety system or application. Loss or interruption of service puts human or animal life at risk. All cases where Private- Restricted data is involved. Data owner approves the use of this security level for a network.
      Data owner approves the use of this security level for a network.  
    Type of IT Resource: Network or network device with or supporting Public Data
    Data Security ClassificationSecurity Level
    HIGH
    Security Level
    MEDIUM
    Security Level
    LOW
    Public Life safety system or application. Loss or interruption of service puts human or animal life at risk. All cases where Public data is involved. Data owner approves the use of this security level for a network.
      Data owner approves the use of this security level for a network.  

Document Feedback