Skip Navigation
Information Technology
Member, Texas Tech University System The Princeton Review - 373 Best Colleges, 2011 Edition

Data Classification Standard

  1. Scope

    All university data stored on university information technology resources, or other information technology resources where university business occurs, must be classified into one of the three categories. Based on the data classification determined for the system, appropriate technical security measures to protect the data are required. Category-I data has more stringent requirements than categories II and III. All systems require some protective measures.

    University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards. Personal data stored on a university IT resource as a result of incidental use is not considered university data.

  2. Data Classification

    Information resources are considered to be assets of the university. They are classified according to the risks associated with the data being stored or processed. Data with the highest risk needs the greatest amount of protection to prevent compromise; data at lower risk can be given proportionately less protection. Along with laws and regulations that govern some kinds of data, there are situations where you must consider whether the confidentiality, integrity, or availability of the data is a factor. This approach allows ASU to apply more appropriate levels of resources to the protection of the assets based upon need.

    1. Category-I– Data protected specifically by federal or state law or university or system rules and regulations (e.g. HIPAA, FERPA, Sarbanes-Oxley, Gramm-Leach-Bliley, Texas Identity Theft Enforcement and Protect Act, Texas Tech University System policies). Also includes data that is not protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality considerations.

      Examples of How Data Can Be Lost

      • Laptop or other data storage system stolen from car.
      • Research Assistant accesses system after leaving research project because passwords aren’t changed.
      • Unauthorized visitor walks into unlocked lab and steals equipment or accesses unsecured computer.
      • Unsecured application on a networked computer is hacked and data stolen.

      Impact of Category-I Data Loss

      • Long-term loss of research funding from granting agencies.
      • Long-term loss of reputation. Published research called into question because data is unreliable.
      • Unauthorized tampering of research data.
      • Increase in regulatory requirements.
        Long-term loss of critical campus or departmental service.
      • Individuals put at risk for identity theft.
    2. Category-II– Data not otherwise identified as category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g. contents of specific e-mail, data or birth, salary, etc). Such data must be appropriately protected to ensure a controlled and lawful release.

      Examples of How Data Can Be Lost

      In addition to the above scenarios…

      • Staff member wanting to be helpful releases information they are not authorized to share.

      Impact of Category-II Data Loss

      • Short-term loss of reputation.
      • Short-term loss of research funding.
      • Short-term loss of critical departmental service.
      • Unauthorized tampering of research data.
      • Individuals put at risk for identity theft.
    3. Category III– University data not otherwise identified as category-I or category-II data (e.g., publicly available). Such data has no requirement for confidentiality, integrity, or availability.

      Examples of How Data Can Be Lost

      See the above scenarios.

      Impact of Category-III Data Loss

      • Loss of use of personal workstation or laptop.
      • Loss of personal data with no impact to the university.
  3. Classifying Data Using C-I-A

    When evaluating data classification and it doesn’t clearly fall under the laws and regulations listed in the definition, you can apply confidentiality, integrity, and availability (C-I-A) criteria. (Most of the legal and regulatory requirements are driven by confidentiality and integrity concerns.)

    • Confidentiality – The need to strictly limit access to data to protect the university and individuals from loss.
    • Integrity – Data must be accurate and users must be able to trust its accuracy.
    • Availability – Data must be accessible to authorized persons, entities, or devices.

    To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data.

    Data Classification Weighting
      Category I Category II Category III
    Need for Confidentiality Required
    (high)
    Recommended
    (medium)
    Optional
    (low)
  4. Data Classification Examples

    This section illustrates how the ISO classifies some familiar data using the CIA (confidentiality, integrity, and availability) criteria.

    Category-I Data: OneCard database

    The data within the OneCard database includes credit card numbers which are required to be protected by the Payment Card Industry Data Security Standards (PCI DSS). While PCI DSS is not a federal or state regulation, the data would be designated as having a high need for confidentiality as PCI DSS required by a contractual agreement.

    • Need for confidentiality is required (high)

    Category-II Data: List of birthdates for all current students

    Birthdates are considered Category-II data. By law they are public information and can be published (unless restricted by individuals). However, the information is not meant to be posted and available for use to all on the Internet. People must submit open records requests to get birthdates of students.

    • Need for confidentiality is required, but available via open records request (medium)

    Category-III Data: Faculty Website

    A public website is by its very nature designed to be shared with the world. The confidentiality requirement is therefore optional (low).

    • Need for confidentiality is optional (low)

Appendix A

Extended List of Category-I Data

This document provides an expanded list of representative examples of data classified as category-I data. This list is provided to help owners and custodians with a way to evaluate the level of protections required for their systems.

NOTE: Social Security numbers may be stored on only authorized systems, such as the Banner system. They are released only as required by law; for example, to the IRS for tax purposes.

This list is not all-inclusive, and it does not cover the release of information.

Patient Medical/Health Information (HIPAA)

The following information is confidential:

  • Social Security number
  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • Personal vehicle information
  • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Access device numbers (ISO number, building access code, etc.)
  • Biometric identifiers and full face images
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor’s information

Student Records (FERPA)

The following information is confidential. This applies to both enrolled and prospective student data.

  • Social Security number
  • Grades (including test scores, assignments, and class grades)
  • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, student bills
  • Access device numbers (ISO number, building access code, etc.)
  • Biometric identifiers

Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:

  • Name, local and permanent mailing addresses, telephone number(s), residence assignment and room or apartment number, campus office address (for graduate students)
  • Date of birth, place of birth
  • ASU E-mail address(es)
  • Dates of attendance; enrollment status; classification; degree(s); major and minor fields of study; awards and honors received
  • Previous educational agencies and institutions attended
  • Hometown, parents’ names and mailing addresses
  • Participation in recognized activities and sports; weight and height of members of athletic teams; team photographs
  • Marital status
  • Photograph

For more information, see Angelo State University’s FERPA Web page.

Donor/Alumni Information (OPP, Texas Identity Theft Enforcement and Protection Act, HIPAA, Texas Public Information statutes)

The following information is confidential:

  • Social Security number
  • Name
  • Personal financial information
  • Family information
  • Medical information
  • Credit card numbers, bank account numbers, amount / what donated
  • Telephone / fax numbers, e-mail, URLs

Research Information (Granting Agency Agreements, Other IRB Governance)

The following information is confidential:

  • Human subject information
  • Sensitive digital research data

Contact the Office of Sponsored Projects for more information on research involving human subjects.

Employee Information (Texas Identity Theft Enforcement and Protection Act)

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

The following employee information is confidential:

  • Social Security number
  • Personal financial information, including non-ASU income level and sources
  • Insurance benefit information
  • Access device numbers (building access code, etc.)
  • Biometric identifiers
  • Family information, home address, and home phone number may be revealed unless restricted by the employee. ASU employees can restrict this information by contacting the Office of Human Resources.

Please note that information considered public, such as employee names, birth dates, salary, and performance review information, would be released under an open records request.

Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure agreement)

The following information is confidential:

  • Vendor Social Security number
  • Credit card information
  • Contract information (between ASU and a third party)
  • Access device numbers (building access code, etc.)
  • Biometric identifiers
  • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

Other Institutional Data (Gramm-Leach-Bliley Act, Other Considerations)

The following information is confidential:

  • Financial records
  • Contracts
  • Physical plant detail
  • Credit card numbers
  • Certain management information
  • Critical infrastructure detail
  • User account passwords

Payment Card Industry Data Security Standard (PCI DSS)

The following information is confidential:

  • Personal Account Number (PAN)
    • Name if stored with PAN
    • Service Code
    • Expiration Date
  • ISO Number