Information Asset Classification Policy

Approved 1/29/18

Purpose

Many different kinds of information reside on University of Wisconsin (UW) - Whitewater network and the systems thereupon. Some of this information is public and would not be harmful to the University if disclosed or compromised whereas other information is very confidential and would be extremely damaging if disclosed or compromised. Most information exists in between these two extremes. Due diligence dictates that the University treats its information assets with protection commensurate with its value and purpose. Additionally, all external agents of the University must comply with this policy. 

The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System.   The risk categories defined by the UW System Administrative Procedure 1031.A - Information Security: Data Classification, supplement the UW-Whitewater classifications.  

Foundation / Philosophy Statement

University information assets should be classified in a manner consistent with their value to the University and its mission and afforded protection consistent with this classification.

Definitions

Data Steward:  Term used by the UW System Administrative Policy 1031 - Information Security: Data Classification and Protection to include "An individual who has direct responsibility to ensure that a data domain is classified appropriately.  The data steward collaborates with institutional Security, Privacy and Data Officers."  At UW-Whitewater, this responsibility is performed by the Data Owners.  The UW-Whitewater Data Custodianship Policy sets forth the responsibilities of the Data Owner and other related data custodianship roles

Statement of Policy

The University adopts and supports policies, procedures and guidelines that ensure the proper classification and protection of University information assets.

The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System.   Examples of the types of data elements for the low, moderate and high risk categories are provided in the UW System Administrative Procedure 1031.A - Information Security: Data Classification document.

Following are the definitions and risk categories, adopted from the UW System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents: 

Catastrophic Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction may be catastrophic to human life. 

High Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may:

• Cause personal or institutional financial loss or the unauthorized release of which would be a violation of a statute, act or law;
• Constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting data;
• Cause significant reputational harm to the Institution or UW System; or,
• Require the UW System to self-report to the government and/or provide public notice if the data is inappropriately accessed.

Moderate Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction may have a mildly adverse impact on the mission, safety, finances, or reputation of the Institution or UW System.  Data not specifically identified in another risk level is categorized as a "Moderate Risk". 

Low Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction would have no adverse impact on the mission, safety, finances, or reputation of the Institution or UW System.  

The Data Steward(s) of each domain shall evaluate and classify data for which they are responsible according to the definitions in this policy, and assign the appropriate risk category based on the procedures specified in UW System Administrative Procedure 1031.A - Information Security: Data Classification. Data stewards shall review data classification(s) annually. 

• A Data Steward may classify specific data elements at a higher risk level than identified in the procedure.
• A Data Steward may not reclassify to a lower risk level any data that is specifically classified in the procedure.

ICIT Responsibilities

Federal and State guidelines, UW System Administrative Policy and Procedure and other factors determine the level of asset classification. ICIT is responsible for advising the campus in applying appropriate classification levels and for providing solutions to ensure that assets are afforded appropriate protection. ICIT also develops policies, procedures and guidelines which manage the classification of University information assets. 

Related Documents 

• University of Wisconsin-Whitewater Data Custodian Policy http://www.uww.edu/icit/policies-agreements/data-custodian
• University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection  https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/
• University of Wisconsin System Administrative Procedure 1031.A - Information Security: Data Classification  https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/information-security-data-classification

Scheduled Review

This document will be reviewed on an annual basis, or as deemed necessary.

Revision/Review Log

Date	Approver	Action	Description
01/29/2018			Revised to include references to the requirements contained in the July 31, 2017 revisions of the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents.