Issue Summary
A task force chartered by the Chief Information Security Officer has created a revised version of UMS Data Classifications; APL VI-I Classification of Data is aligned with regulatory requirements that apply to University Data, and assigns data to classification levels based on confidentiality, integrity and availability requirements, and parameters of risk, including, but not limited to financial, legal and operational.
Background
Data Classification within the UMS is a component specified in Information Security Standards, and the Employee Protection of Data APL (linked at right in Resources); the existing system divided data into three levels: “Compliant Data,” “Business Sensitive Data,” and “Unclassified” data. The existing UMS Classification System had shortcomings which warranted review.
Specifically, the classification of Compliant Data was too broad in that it applied to any regulatory or contractually compliant data, but didn't distinguish data with higher risk, such as export control data, HIPAA PHI, SSNs, banking/payment card data, or other data that is subject to identity theft. Likewise, data that constitutes Business Sensitive Data was not well described. Furthermore, the current classification structure didn't address any parameters other than risk that may be associated with a classification system.
In January 2020, a task force was assembled by the Office of Information Security with representatives from several areas within the UMS. The task force created a revised Data Classification system with feedback from constituents across UMS functional areas, and endorsement from Data Governance.
May 2020 Proposal Forum
Data Classification Proposal
Presentation Slides
Proposal Summary: A task force chartered by the Chief Information Security Officer has created a draft revised version of UMS Data Classifications. The proposed classification system is aligned with regulatory requirements that apply to University Data, and assigns data to classification levels based on confidentiality, integrity and availability requirements, and parameters of risk, including, but not limited to financial, legal and operational.
Background: Data Classification within the UMS is currently a component specified in Information Security Standards, and the Employee Protection of Data APL; the existing system divides data into three levels: “Compliant Data,” “Business Sensitive Data,” and “Unclassified” data. The existing UMS Classification System had shortcomings which warranted review. In January 2020, a task force was assembled by the Office of Information Security with representatives from several areas within the UMS. The task force has created a revised Data Classification system and is seeking feedback from constituents across UMS functional areas, and endorsement from Data Governance.
Comments/Questions
- It was noted that there has been a lot of great work on this topic since the 2019 Data Governance Retreat where there was a working session for feedback and discussion.
- Attendees were asked what their reaction is to the four labels of data in the proposal. Feedback included that it was easy to understand the categories even without their associated definitions. There was also appreciation that "Confidential" included data related to contractually bound information - this is very important for research.
- Attendees were asked if it was reasonable to get feedback and develop an APL in the next 30 days and there were no objections.
- Appreciation was shared for building the 4-tier structure that may add some complexity but gives enough flexibility to accommodate use cases. It is a good foundation for our data moving forward.
Resources & Research