Many different kinds of information reside on University of Wisconsin (UW) - Whitewater network and the systems thereupon. Some of this information is public and would not be harmful to the University if disclosed or compromised whereas other information is very confidential and would be extremely damaging if disclosed or compromised. Most information exists in between these two extremes. Due diligence dictates that the University treats its information assets with protection commensurate with its value and purpose. Additionally, all external agents of the University must comply with this policy.
The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System. The risk categories defined by the UW System Administrative Procedure 1031.A - Information Security: Data Classification, supplement the UW-Whitewater classifications.
University information assets should be classified in a manner consistent with their value to the University and its mission and afforded protection consistent with this classification.
Data Steward: Term used by the UW System Administrative Policy 1031 - Information Security: Data Classification and Protection to include "An individual who has direct responsibility to ensure that a data domain is classified appropriately. The data steward collaborates with institutional Security, Privacy and Data Officers." At UW-Whitewater, this responsibility is performed by the Data Owners. The UW-Whitewater Data Custodianship Policy sets forth the responsibilities of the Data Owner and other related data custodianship roles
The University adopts and supports policies, procedures and guidelines that ensure the proper classification and protection of University information assets.
The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System. Examples of the types of data elements for the low, moderate and high risk categories are provided in the UW System Administrative Procedure 1031.A - Information Security: Data Classification document.
Following are the definitions and risk categories, adopted from the UW System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents:
Catastrophic Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may be catastrophic to human life.
High Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may:
Moderate Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may have a mildly adverse impact on the mission, safety, finances, or reputation of the Institution or UW System. Data not specifically identified in another risk level is categorized as a "Moderate Risk".
Low Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction would have no adverse impact on the mission, safety, finances, or reputation of the Institution or UW System.
The Data Steward(s) of each domain shall evaluate and classify data for which they are responsible according to the definitions in this policy, and assign the appropriate risk category based on the procedures specified in UW System Administrative Procedure 1031.A - Information Security: Data Classification. Data stewards shall review data classification(s) annually.
Federal and State guidelines, UW System Administrative Policy and Procedure and other factors determine the level of asset classification. ICIT is responsible for advising the campus in applying appropriate classification levels and for providing solutions to ensure that assets are afforded appropriate protection. ICIT also develops policies, procedures and guidelines which manage the classification of University information assets.
This document will be reviewed on an annual basis, or as deemed necessary.
Date | Approver | Action | Description |
01/29/2018 | Revised to include references to the requirements contained in the July 31, 2017 revisions of the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents. |
Operational Procedures define ICIT's services, expectations, and role as part of the campus community.