Issue Summary
A task force chartered by the Chief Information Security Officer has created a revised version of UMS Data Classifications; APL VI-I Classification of Data is aligned with regulatory requirements that apply to University Data, and assigns data to classification levels based on confidentiality, integrity and availability requirements, and parameters of risk, including, but not limited to financial, legal and operational.
Background
Data Classification within the UMS is a component specified in Information Security Standards, and the Employee Protection of Data APL (linked at right in Resources); the existing system divided data into three levels: “Compliant Data,” “Business Sensitive Data,” and “Unclassified” data. The existing UMS Classification System had shortcomings which warranted review.
Specifically, the classification of Compliant Data was too broad in that it applied to any regulatory or contractually compliant data, but didn't distinguish data with higher risk, such as export control data, HIPAA PHI, SSNs, banking/payment card data, or other data that is subject to identity theft. Likewise, data that constitutes Business Sensitive Data was not well described. Furthermore, the current classification structure didn't address any parameters other than risk that may be associated with a classification system.
In January 2020, a task force was assembled by the Office of Information Security with representatives from several areas within the UMS. The task force created a revised Data Classification system with feedback from constituents across UMS functional areas, and endorsement from Data Governance.
Resources & Research