Skip Navigation
Angelo State University
Information Technology

Search Site

Information for:

Data Classification Standard

  1. Scope

    All university information stored on university information technology resources, or other information technology resources where university business occurs, must be classified into one of the three categories. Based on the data classification determined for the system, appropriate technical security measures to protect the data are required. Category-1 data has more stringent requirements than Category-2 and Category-3. All systems require some protective measures.

    University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards. Personal data stored on a university IT resource as a result of incidental use is not considered university data. Personal use of university information describing or pertaining to only you, is not governed or defined by this standard. At the same time, these rules describe good practices to help protect your personal information.

  2. Information Classification

    This standard is based solely on the confidentiality aspect of information. Information that is confidential must be protected against unauthorized exposure as required by law, regulation, or statute. Only authorized persons are allowed to access or change confidential information. Information resources are considered to be assets of the university. They are classified according to the risks associated with the data being stored or processed. Data at the highest risk needs the greatest amount of protection to prevent unauthorized exposure; data at lower risk can be given proportionately less protection. To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data. Note: Passwords and other security control specifics must be classified at same level as the highest category of information they protect.

    1. Category-1– Data protected specifically by federal or state law, university or system rules or regulations that assess specific administrative, punitive, or monetary penalties (e.g. HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, Texas Identity Theft Enforcement and Protect Act, Texas Tech University System policies) and will likely cause great harm to the university and the individuals to whom the information refers. Also includes data that is not protected by a known civil statute or regulation, but which must be protected because of contractual agreements requiring confidentiality considerations. More examples can be found in Appendix A.
      Examples of How Data Can Be Exposed
      • Laptop or other data storage system stolen from car.
      • Research Assistant accesses system after leaving research project because passwords are not changed.
      • Unauthorized visitor walks into unlocked lab and steals equipment or accesses unsecured computer.
      Impact of Category-1 Data Exposure
      • Long-term loss of research funding.
      • Long-term loss of reputation.
      • Unauthorized release of research data.
      • Monetary penalties from regulatory requirements.
      • Individuals put at risk for identity theft.
    2. Category-1a – Information protected specifically by federal or state law, university or system rules or regulations (e.g., FERPA) which, if exposed, would likely result in substantial harm to the university, but for which there are no proscribed administrative, punitive, or monetary penalties. Exposure may lead to loss of reputation and reduced enrollment. More examples can be found in Appendix B.
    3. Category-2 – Information related directly to or proceeding from the operation and administration of the university and normally restricted to university employees, but which is releasable in accordance with the Texas Public Information Act (e.g. contents of specific e-mail, date of birth, salary, etc.). Such information must be appropriately protected to ensure a controlled and lawful release.
      Examples of How Data Can Be Exposed
      • Staff member releases information without proper authorization.
      Impact of Category-2 Data Exposure
      • Tarnished reputation.
      • Loss of research funding.
    4. Category 3 –Information which is generally publicly available or appropriately and intentionally made public by the university. Information in this category has no requirement for confidentiality.
      Examples of How Data Can Be Exposed
      • Laptop or other data storage system stolen from car.
      Impact of Category-3 Data Exposure
      • Loss of your personal data with no impact to the university.
    Required Controls
    Systems that store or process Category-1 information must, at a minimum meet the following criteria:
    • Must use a PIN or complex password to access the device’s operating system and data.
    • Must use whole disk/device encryption or use data center physical security controls.
    • Must encrypt all Category-1 data transferred to and from the system.
    • Have antimalware software installed to regularly update itself and automatically clean malware from the system.
    • Must be configured to allow remote wipe, if the system allows.
    Systems that store or process Category-1a university information must, at a minimum, meet the following criteria: 
    • Whole disk/device encryption is not required, but still strongly recommended for Category-1a
    • All controls for Category-1, except whole disk/device encryption
    Systems that store or process Category-2 or Category-3 university information must, at a minimum, have antimalware software installed to regularly update itself and clean malware from the system.  The controls for higher category information are not required, but still recommended.

      Appendix A

    Extended List of Category-1 Data

    This document provides an expanded list of examples of data classified as category-1 data. This list is provided to help owners and custodians with a way to evaluate the level of protections required for their systems.

    NOTE: Social Security numbers may be stored on only authorized systems, such as the Banner system. They are released only as required by law; for example, to the IRS for tax purposes.

    This list is not all-inclusive, and it does not cover the authorized release of information.

    Patient Medical/Health Information (HIPAA)

    The following information is confidential if associated with specific individuals:

    • Social Security number
    • Patient names, street address, city, county, zip code, telephone / fax numbers
    • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
    • Personal vehicle information
    • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
    • Access device numbers (card number, building access code, etc.)
    • Biometric identifiers and full face images
    • Any other uniquely identifying number, characteristic, or code
    • Payment Guarantor’s information

    Donor/Alumni Information (OPP, Texas Identity Theft Enforcement and Protection Act, HIPAA, Texas Public Information statutes)

    The following information is confidential if associated with specific individuals:

    • Social Security number
    • Name
    • Personal financial information
    • Family information
    • Medical information
    • Credit card numbers, bank account numbers, amount / what donated
    • Telephone / fax numbers, e-mail, URLs

    Research Information (Granting Agency Agreements, Other IRB Governance)

    The following information is confidential if associated with specific individuals:

    • Human subject information
    • Sensitive digital research data

    Contact the Office of Sponsored Projects for more information on research involving human subjects.

    Employee Information (Texas Identity Theft Enforcement and Protection Act)

    There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

    The following employee information is confidential if associated with specific individuals:

    • Social Security number
    • Personal financial information, including non-ASU income level and sources
    • Insurance benefit information
    • Access device numbers (card number, building access code, etc.)
    • Biometric identifiers
    • Family information, home address, and home phone number may be released unless restricted by the employee. ASU employees can restrict this information by contacting the Office of Human Resources.

    Please note that information considered public, such as employee names, birth dates, salary, and performance review information, would be released under an open records request.

    Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure agreement)

    The following information is confidential if associated with specific individuals:

    • Vendor Social Security number
    • Credit card information
    • Contract information (between ASU and a third party)
    • Access device numbers (card number, building access code, etc.)
    • Biometric identifiers
    • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

    Other Institutional Data (Gramm-Leach-Bliley Act, Other Considerations)

    The following information is confidential if associated with specific individuals:

    • Financial records
    • Contracts
    • Physical plant detail
    • Credit card numbers
    • Certain management information
    • Critical infrastructure detail
    • User account passwords

    Payment Card Industry Data Security Standard (PCI DSS)

    The following information is confidential if associated with specific individuals:

    • Personal Account Number (PAN)
      • Name if stored with PAN
      • Service Code
      • Expiration Date
    • Magnetic stripe data

      Appendix B

    Extended List of Category-1a Data

    This document provides an expanded list of examples of data classified as category-1a data. This list is provided to help owners and custodians with a way to evaluate the level of protections required for their systems.

    This list is not all-inclusive, and it does not cover the authorized release of information.

    Student Records (FERPA)

    The following information is confidential. This applies to both enrolled and prospective student data.

    • Grades (including test scores, assignments, and class grades)
    • Bank accounts, wire transfers, payment history, financial aid/grants, student bills
    • Access device numbers (card number, building access code, etc.)

    Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise by using Office of the Registrar approved methods:

    • Student name
    • Local and permanent mailing address
    • Photograph
    • Major and minor fields of study
    • Participation in recognized activities and sports
      • weight and height of members of athletic teams
      • team photographs
    • Dates of attendance
    • Classification
    • Enrollment status
    • Degree candidate
    • Degrees
    • Awards and honors received, type of award/honor
    • Previous educational agencies and institutions attended
    • Hometown

    For more information, see Angelo State University’s FERPA Web page.


image