Information Asset Classification Policy

Approved 1/29/18

Purpose

Many different kinds of information reside on University of Wisconsin (UW) - Whitewater network and the systems thereupon. Some of this information is public and would not be harmful to the University if disclosed or compromised whereas other information is very confidential and would be extremely damaging if disclosed or compromised. Most information exists in between these two extremes. Due diligence dictates that the University treats its information assets with protection commensurate with its value and purpose. Additionally, all external agents of the University must comply with this policy. 

The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System.   The risk categories defined by the UW System Administrative Procedure 1031.A - Information Security: Data Classification, supplement the UW-Whitewater classifications.  

Foundation / Philosophy Statement

University information assets should be classified in a manner consistent with their value to the University and its mission and afforded protection consistent with this classification.

Definitions

Data Steward:  Term used by the UW System Administrative Policy 1031 - Information Security: Data Classification and Protection to include "An individual who has direct responsibility to ensure that a data domain is classified appropriately.  The data steward collaborates with institutional Security, Privacy and Data Officers."  At UW-Whitewater, this responsibility is performed by the Data Owners.  The UW-Whitewater Data Custodianship Policy sets forth the responsibilities of the Data Owner and other related data custodianship roles

Protected data:  Any UW - Whitewater data and resources assigned a classification level other than public, as defined in the UW - Whitewater Instructional, Communication, and Information Technology (ICIT) Information Asset Classification Policy . 

Statement of Policy

The University adopts and supports policies, procedures and guidelines that ensure the proper classification and protection of University information assets. University information is classified as one of the following types:

Public:
This information is suitable for public dissemination. Examples include public web pages, course listings, press releases, marketing material, etc. 

Internal:
This information is available to all employees within the University. Access to this information is restricted to use by employees only for the conduct of university business. Examples include student telephone and address lists, budgets, recruitment plans, strategic plans, network diagrams, etc. 

External:
External information includes data owned by agents outside the University for which members of the university act as custodians. Examples include UW-System data and online databases. This information will be treated in accordance with guidelines established by the data owners.

Restricted:
Restricted information includes information that units may decide to share with other units outside their administrative purview for the purpose of collaboration. Examples include data created by the department, research data and project data. Loss of this information could cause harm to the University's image or reputation, but would not necessarily violate existing laws or regulations. 

Confidential:
Confidential information is typically non-public information about people. Examples include student or employee identifiable information, medical records, legal records, student records, police records, and financial account information. Information governed under Federal or State disclosure statutes is classified as confidential. Data owner grants access to confidential information to data users, however data users are not allowed to disseminate this confidential information outside their administrative purview. Unauthorized release or loss of confidential information could reasonably be expected to cause legal and/ or financial consequences to the University. 

The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System.   Examples of the types of data elements for the low, moderate and high risk categories are provided in the UW System Administrative Procedure 1031.A - Information Security: Data Classification document.

Following are the definitions and risk categories, adopted from the UW System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents: 

Catastrophic Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction may be catastrophic to human life. 

High Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may:

  • Cause personal or institutional financial loss or the unauthorized release of which would be a violation of a statute, act or law;
  • Constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting data;
  • Cause significant reputational harm to the Institution or UW System; or,
  • Require the UW System to self-report to the government and/or provide public notice if the data is inappropriately accessed.

Moderate Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction may have a mildly adverse impact on the mission, safety, finances, or reputation of the Institution or UW System.  Data not specifically identified in another risk level is categorized as a "Moderate Risk". 

Low Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction would have no adverse impact on the mission, safety, finances, or reputation of the Institution or UW System. 

Data Stewards will assign both a UW-Whitewater classification type and risk category when they are identifying and documenting asset classification. 

The Data Steward(s) of each domain shall evaluate and classify data for which they are responsible according to the definitions in this policy, and assign the appropriate risk category based on the procedures specified in UW System Administrative Procedure 1031.A - Information Security: Data Classification. 

  • A Data Steward may classify specific data elements at a higher risk level than identified in the procedure.
  • A Data Steward may not reclassify to a lower risk level any data that is specifically classified in the procedure.

ICIT Responsibilities

Federal and State guidelines, UW System Administrative Policy and Procedure and other factors determine the level of asset classification. ICIT is responsible for advising the campus in applying appropriate classification levels and for providing solutions to ensure that assets are afforded appropriate protection. ICIT also develops policies, procedures and guidelines which manage the classification of University information assets. 

Related Documents 

Scheduled Review

This document will be reviewed on an annual basis, or as deemed necessary.

Revision/Review Log

Date Approver Action Description
01/29/2018 Revised to include references to the requirements contained in the July 31, 2017 revisions of the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents.