Information Asset Classification

Purpose

Many different kinds of information reside on UW-Whitewater network and the systems thereupon. Some of this information is public and would not be harmful to the University if disclosed or compromised whereas other information is very confidential and would be extremely damaging if disclosed or compromised. Most information exists in between these two extremes. Due diligence dictates that the University treats its information assets with protection commensurate with its value and purpose. Additionally, all external agents of the University must comply with this policy.

Foundation / Philosophy Statement

University information assets should be classified in a manner consistent with their value to the University and its mission and afforded protection consistent with this classification.

Statement of Policy

The University adopts and supports policies, procedures and guidelines that ensure the proper classification and protection of University information assets. University information is classified as one of the following types:

Public:
This information is suitable for public dissemination. Examples include public web pages, course listings, press releases, marketing material, etc.

Internal:
This information is available to all employees within the University. Access to this information is restricted to use by employees only for the conduct of university business. Examples include student telephone and address lists, budgets, recruitment plans, strategic plans, network diagrams, etc.

External:
External information includes data owned by agents outside the University for which members of the university act as custodians. Examples include UW-System data and online databases. This information will be treated in accordance with guidelines established by the data owners.

Restricted:
Restricted information includes information that units may decide to share with other units outside their administrative purview for the purpose of collaboration. Examples include data created by the department, research data and project data. Loss of this information could cause harm to the University's image or reputation, but would not necessarily violate existing laws or regulations.

Confidential:
Confidential information is typically non-public information about people. Examples include student or employee identifiable information, medical records, legal records, student records, police records, and financial account information. Information governed under Federal or State disclosure statutes is classified as confidential. Data owner grants access to confidential information to data users, however data users are not allowed to disseminate this confidential information outside their administrative purview. Unauthorized release or loss of confidential information could reasonably be expected to cause legal and/ or financial consequences to the University.

ICIT Responsibilities

Federal and State guidelines and other factors determine the level of asset classification. ICIT is responsible for advising the campus in applying appropriate classification levels and for providing solutions to ensure that assets are afforded appropriate protection. ICIT also develops policies, procedures and guidelines which manage the classification of University information assets.