This policy provides the University of Oregon’s approach for classifying data and information systems (“information assets”) according to their potential level of risk to the University. The policy and associated procedures also assign roles and responsibilities for protecting information assets and detail how such assets must be protected based on their classifications.
All users of University of Oregon information
For questions about this policy, please contact the Chief Information Security Office at 541-346-5837 or firstname.lastname@example.org.
Amendments approved by President Schill on July 2, 2019.
Enacted as a permanent policy by President Schill on 04/25/2016.
Extended by President Michael Schill on December 15, 2015.
Enacted as an emergency policy by Dr. Scott Coltrane, Interim President on June 25, 2015.
This policy supersedes Fiscal Policy Manual 56.350.200-230 and UO Policy 10.00.01.
The purpose of this policy is to outline the acceptable approach for classifying university information assets into risk levels to facilitate determination of access authorization and appropriate security control. The requirement to safeguard information assets must be balanced with the need to support the pursuit of university objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
Data Availability refers to methods for ensuring that required data is always accessible when needed, in accordance with University retention policy.
Data Confidentiality refers to methods for ensuring that access to sensitive data is limited to authorized individuals.
Data Integrity refers to methods for ensuring that data is complete, accurate, consistent, and safeguarded from unauthorized modification.
University Data refers to data owned by or in the custody of the University.
Roles and Responsibilities
Chief Information Security Officer
The Chief Information Security Officer develops policies and procedures to secure University information assets and comply with state, federal, and international laws and regulations applicable to the University of Oregon.
The Data Trustee for all University Data is the Provost or their designees who have planning, policy-level, and management responsibility for data within their designated functional area(s). Data Trustees’ responsibilities include:
- Assigning and overseeing Data Stewards
- Overseeing the establishment of UO information asset policies.
- Determining statutory, regulatory and other University requirements for UO information assets.
- Promoting data quality and appropriate use.
Data Stewards are University officials having direct operational-level responsibility for the management of one or more types of data. Data Stewards must be authorized by the appropriate Data Trustee and are generally associate deans, associate vice presidents, directors or above, or research principle investigators within the scope of work of a research project. Data Stewards’ responsibilities include:
- Assigning and overseeing Data Custodians.
- The application of this and related policies and procedures to the systems, data, and other information resources under their care or control.
- Assigning data classification levels in accordance with this policy and associated procedures.
- Collaborating with the CISO in identifying and implementing appropriate administrative and technical safeguards outlined in the UO Minimum Information Security Conrols Standard, for protecting information assets (see Related Resources, below).
- Communicating and providing education on the required safeguards for data to authorized users and Data Custodians.
- Authorizing access, both logical and physical, only to authorized individuals who have a business need – as defined by law and university policies - to access specific data or other information assets.
- Authorizing remote access to information assets to only authorized individuals who have a business need – as defined by law and university policies - to access through a secured system approved by the Chief Information Security Officer.
In cases where multiple Data Stewards collect and maintain the same data elements, the Data Stewards must work together, in collaboration with the CISO, to apply the UO Minimum Information Security Controls.
Data Custodians are university personnel or designated third-party agents responsible for the operation and management of information systems which collect, manage, process, or provide access to University Data. Data Custodians must be authorized by the appropriate Data Stewards following procedures outlined in the UO Minimum Information Security Controls Standard (see Related Resources, below). Data Custodians’ responsibilities include:
- Applying the UO Minimum Information Security Controls appropriate to the classification level of the data and other information assets in their custody
- Complying with applicable University acceptable use and computer security policies, standards, and procedures.
- Managing Data Consumer access as authorized by appropriate Data Stewards
- Following data handling and protection policies and procedures established by Data Stewards and the CISO.
Data Consumers are the individual University community members or third-party agents who have been granted access to University Data (wherever it is stored) in order to perform assigned duties or in fulfillment of assigned roles or functions for the University. This access is granted solely for legitimate University purposes. Data Consumers’ responsibilities include:
- Following the policies and procedures established by the appropriate Data Stewards, Data Custodians, and the CISO.
- Complying with University policies and federal, international, and state laws and regulations associated with the University Data and information system use.
- Implementing safeguards for protecting data as prescribed by appropriate Data Stewards and the CISO.
- Reporting any unauthorized access or data misuse to the Information Security Office, the appropriate Data Trustee, Steward, or Custodian, for remediation.
A current list of UO Data Trustees, Data Stewards, and Data Custodians is available in the UO Data Security Classification Table found below in Related Resources.
Data Stewards must classify all University data – digital or printed - into risk levels to provide the basis for understanding and applying the appropriate level of security controls. These classification levels consider the state and federal legal protections, contractual agreements, ethical considerations, or strategic or proprietary worth. Data can also be classified as a result of the application of “prudent stewardship,” where the reason to protect the data is to reduce the possibility of harm to individuals or to the institution.
Data Classification Levels
The classification level assigned to data will guide Data Trustees, Data Stewards, Data Custodians, functional and technical project teams, and any others who may create, obtain, process, transmit or store data, in the security protections and access authorization mechanisms appropriate for that data. Data Stewards must classify University Data as one of the following risk levels:
- Low Risk (or Green)
Data is classified as Low Risk if the loss of confidentiality, integrity, or availability of the data would have minimal strategic, compliance, operational, financial, or reputational risk to the University. The integrity of Low Risk data is of primary importance and must be protected. The appropriate Data Trustee or Steward must authorize release of Low Risk data. Refer to the UO Data Security Classification Table (see Related Resources, below) for examples of Low Risk data.
- Moderate Risk (or Amber)Data is classified as Moderate Risk if the loss of confidentiality, integrity, or availability of the data would have moderate strategic, compliance, operational, financial, or reputational risk to the University. Integrity and availability of Moderate Risk data are of primary importance and must be protected; privacy and confidentiality should be protected as appropriate. Access to Moderate Risk data must be authorized by the Data Trustee or Steward who is responsible for the data, as needed. Data access authorization may be provided to individuals as part of their job roles or responsibilities. Refer to the Data Security Classification Table (see Related Resources, below) for examples of Moderate Risk data.
- High Risk (or Red)
Data is classified as High Risk (the most sensitive/critical classification) if the loss of confidentiality, integrity, or availability of the data would have high strategic, compliance, operational, financial, or reputational risk to the University. Privacy, confidentiality, integrity, and availability are important and must be protected. Access to High Risk data must be controlled from creation to destruction, and shall be granted only to those persons affiliated with the University who require such access in order to perform their job, or to those individuals permitted by state or federal law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to High Risk data must be requested from, and authorized by, the Data Trustee or Steward who is responsible for the data.
High Risk data includes information protected by law. Note: some data that is not regulated may be classified as High Risk by the Data Trustees or Stewards due to proprietary, ethical, or privacy considerations. Refer to the Data Security Classification Table (see Related Resources, below) for examples of High Risk data.
Classification of Information Systems and Technology Components
Information systems and technology components, including computing and storage devices, mobile devices, network components, and applications, adopt the highest classification of the data that they process, store, or transmit. For example, a system that processes, stores, or transmits High Risk data is classified as a High Risk system; whereas a system that processes Moderate Risk data as the highest data classification level is classified as a Moderate Risk system.
In addition to data-specific risks, information systems components may also affect the safety of the UO community, through interference with operational technology (OT) such as building and industrial automated control systems and automation and supervisory control and data acquisition (SCADA) systems. An information system component is also classified as High, Moderate, or Low Risk if unauthorized access or modification or the loss of availability would have a high, moderate, or low safety risk respectively, to the UO community.
Data Security Requirements for the Classification Levels
The Chief Information Security Officer shall create and maintain security procedures for the various types of data use by the University. These requirements are outlined in the UO In addition, the CISO will create and maintain additional guidelines and procedures for appropriate handling of data including the Minimum Security Procedures for Handling Physical University Data (see Related Resources, below).
- Volume IV: Finance, Administration and Infrastructure
- Chapter 6: Information technology