UMB Data Classification Policy
X-99.06(A) | Information Technology | Approved April 13, 2015 | Last Reviewed April 30, 2024
Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS
Applies to: Faculty, Staff
Revision History
Approved April 13, 2015.
Policy Statement
Data and information are important assets of the University and must be protected from loss of integrity, confidentiality, or availability in compliance with University policy and guidelines, Board of Regents policy, and state and federal laws and regulations.
The purpose of this document is to provide guidance in complying with Section VII, Items 3 & 4, Data Classifications and Storage, of the USM Guidelines in Response to the State IT Security Policy. This section states that USM institutions are required to implement formal controls on all institutionally owned systems that store and/or access nonpublic information.
Policy
All University Data must be classified according to the UMB Classification Schema and protected according to UMB Data Security Standards. This policy applies to data in all formats or media.
Data Classification Schema
Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise; data with lower risk require proportionately less protection. Four levels of data classification will be used to classify University Data based on how the data are used, its sensitivity to unauthorized disclosure, and requirements imposed by external agencies.
Data are typically stored in aggregate form in databases, tables, or files. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. For example, a student information system will contain a student's directory information as well as their social security number. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
UMB Data Classifications:
Level 0 – Public - Non-critical data (i.e., public directory information). Data explicitly or implicitly approved for distribution to the public where there is little institutional risk associated with this system due to security.
Level 1 – Internal - Data intended for internal University use. Applications or services that support academic instruction, research data or general communications that do not contain sensitive information.
Level 2 – Confidential - Critical data, systems, applications or services related to or supporting the commitment or management of UMB financials, student data, research, and those systems containing sensitive information (i.e. name, SSN or other combination or personal identifiers) which if compromised could be used to commit identity theft.
Level 3 – Regulated - Highest risk data, systems and applications or services that have externally mandated IT compliance requirements such as those containing information covered by HIPAA or PCI. Failure to comply with these externally mandated IT Security requirements would result in serious financial, legal and/or reputational harm to individuals and/or the University.
Any department that has access to data that are classified as Level 2 or higher will be required to work with the IT Security Officer to complete the Risk/Vulnerability Assessment