Security Awareness

Data Classification FAQ

Data Classification

 

Data Classification

How do I make sure the data I have downloaded from University files is still accurate?

You should periodically "refresh" downloaded data to ensure you are working with accurate, up-to-date data.  It is best not to create "shadow systems" using downloaded data.  To ensure you are working with accurate, up-to-date data you should try to use the official repository of the data you need (e.g., Access and use PeopleSoft HR data directly for HR data needs). 

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-02-24

Date Reviewed:  2007-11-05

Back to top

How do I know how data is classified?

Contact the data custodian for assistance. If you are working with data and you do not know its classification, handle it as though it were classified as Confidential information.

Reference: Data and Computing Standards (PDF)

Date Revised : 2006-02-24

Date Reviewed:  2007-11-05

Back to top

I have access to view data as part of my job. A student employee has asked for some information regarding their personal situation. Can I share this information?

You should use your access to University data only for the purposes for which you have been approved. For example, you may have been authorized to access student grades however telling a student employee their grades before they are officially distributed by the University would be a violation of University Data and Computing Guidelines/Standards.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

Back to top

Does the University classify its data? What are the University data classifications?

Yes. The University classifies its data as:

Unclassified - data that does not fall into any of the other data classifications noted below. This data may be made generally available without specific data custodian approval.

 

 

Operational Use Only - data whose loss, corruption or unauthorized disclosure would not necessarily result in any business, financial or legal loss BUT which the University had determined is critical to its business and requires a higher degree of handling than unclassified data.  Access to Operational Use Only data is available to data custodian approved users only.

 

 

Confidential - data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws/regulations or University contracts (i.e., protected data); personally identifiable data; data that involves issues of personal privacy; or data whose loss, corruption or unauthorized disclosure may impair the academic, research or business functions of the University, or result in any business, financial, or legal loss.

 

Reference: Data and Computing Standard (PDF)

Date Revised : 2007-03-24

Date Reviewed:  2007-11-05

Back to top

I am disposing of a report are there any requirements I should know about?

Reports containing Operational Use Only or Confidential data should be disposed of as follows - Paper and microfiche/film should be shredded; Disks/ hard drives should be erased so that the data is unretrievable. If you are not sure how to erase your drive so that the data is unretrievable, contact your desktop support group for assistance. If you don't know the data's classification, contact the appropriate data custodian or handle the data as if it was classified as Confidential. The table below outlines the University's standards for data disposal:

Disposal of removable electronic media (e.g., diskettes, CDs, DVDs, optical disks, magnetic tapes, etc.)

Unclassified

Migrate files contained on hardware or electronic storage devices that are not past their retention period to current systems or another suitable storage format. No special disposal requirements.

Operational Use Only

Data Custodian to define requirements

Disposal of hard drive

Unclassified/ Operational Use Only/ Confidential

Migrate files contained on hardware or electronic storage devices that are not past their retention period to current systems or another suitable storage format. Wipe/Sanitize functioning hard-drives.
If cpu to be destroyed, physically remove and destroy ALL hard drives. Log time, date, method and person that disposed of media.

Disposal of hardcopy

 Unclassified/Operational Use Only

Trash/Recycle

Confidential

Cross-shred, chemically destroy or incinerate paper, microfiche and microfilm in an environmentally safe method. Log time, date, method and person that disposed of media.

Revision Date: 2007-03-24

Review Date: 2008-05-28

Back to top

How does a data custodian decide who should have access to University data?

Data Custodian approval for access to data classified as Operational Use Only or Confidential is based on legal requirements or on a need to know; job function; or course requirement basis.

Reference: Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

Date Reviewed:  2007-11-05

Back to top

How do I handle databases or files that contain data that has different classifications assigned?

Aggregates of data should be classified as to the most secure classification level (e.g. when data of mixed classification exist in the same database, file, report, etc., the classification of that database, file, or report should be that of the highest level of classification).

Reference : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

Date Reviewed:  2007-11-05

Back to top

My coworker or another student needs access to some data that I have been authorized to access, can I share this information?

No. Access to computer systems and data is given to specific individuals. This access must not be shared, transferred or delegated (e.g., you should not log on, access data and then let others use that data). The coworker or student may be able to get the access they need. They should contact either the proper data custodian or the system administrator to obtain this access.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

Back to top

I have extracted some data from another file. How should this data be handled or secured?

Extracts of Operational, Private, Restricted or Confidential data should be secured at the same level as the file/database from which the data was extracted. If you don't know the data's classification, contact the appropriate data custodian or secure the data as if it was classified as Confidential.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

Back to top