Data Classification and Handling Standard

Number IS-2321
Title Data Classification and Handling Standard
Responsible Office UA Information Security
Effective Date 20-March-2015

The University of Arizona takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University's academic and research mission. For that reason, UA has classified its information assets into the categories Regulated, Confidential, Public, and Internal for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.

Data Classifications

Use these criteria to determine which data classification is appropriate for a particular information asset.
 

INTERNAL

PUBLIC

CONFIDENTIAL

REGULATED

Description

Data not intended for public use or exposure. Internal data generally should not be disclosed outside of the University without the permission of the person or group that created the data.  Any data not specifically classified as Regulated, Confidential, or Public should be considered Internal.
Data that may be disclosed to any person, regardless of affiliation with the University.  Some level of control is required to protect the integrity and availability of Public data (e.g., protecting original (source) documents from unauthorized modification).
Data protected as Confidential by law, contracts, or third-party agreement, and by the University for confidential treatment. Unauthorized disclosure, alteration, or destruction of this data type could cause a significant level of risk to the University or its affiliates.
Data controlled by federal, state, local, and/or industry regulations. These data are affected by data breach notification laws and contractual provisions in government research grants, which impose legal and technical restrictions on the appropriate use of institutional information.

Examples

- Proprietary University information, produced for use only by UA community members

- Internal operating procedures and operational manuals

- Internal memoranda, emails, reports and other documents

- Contact lists that contain information that is not publicly available

- Technical documents, such as system configurations

- Public-facing web pages

- Directory data (e.g., contact information)

- Press releases

- Course information

- Dates of attendance

- Application and request forms

- Maps, newsletters, newspapers and magazines

- Applicant, alumni, donor, potential donor and parent data

- FERPA and GLBA data

- Human Subject Research data

- Restricted or unpublished research data

- Data protected by confidentiality agreements

- Law enforcement or court records and confidential investigation records

- Citizen or immigrations status

- Detailed information about certain University buildings, activities or events, including facility security system details

- Social Security Numbers

- Credit Card Numbers

- Financial/ Banking Account Numbers

- Driver's License Numbers

- Health Insurance Policy ID Numbers

- Data as defined under FISMA, ITAR/EAR, HIPAA

Access

Access limited to members of the UA community. Open access to public information. However, care should always be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder. Access limited to those with a need to know, at the discretion of the data owner or custodian. Access limited to those permitted under law, regulation and UA policies, and with a need to know.

Transmission- Encryption

No encryption is required for the transmission of Internal Data. No encryption is required for the transmission of Public Data. Encryption is strongly recommended when transmitting information through a network. Third-party email services are discouraged for transmitting Confidential Data. NIST-approved encryption is required when transmitting information through a network. Regulated numbers may be redacted instead of encrypted.

Transmission-
Wireless Network

Wireless transmission of Internal Data permissible.  Wireless transmission of Public Data permissible. Encryption is strongly recommended when transmitting information through a wireless network. Third-party email services are discouraged for transmitting Confidential Data. Wireless transmission of data must be approved by appropriate compliance officers/and or Information Security Officer.  If approved, NIST-approved encryption is required.  Regulated numbers may be redacted instead of encrypted.

Transmission- Email

Email of Internal Data permissible. Email of Public Data permissible. Encryption is strongly recommended when emailing Confidential Data. Third-party email services are discouraged for transmitting Confidential Data. NIST-approved encryption is required for all Regulated Data.  Third-party email services are not appropriate for transmitting Regulated Data. Regulated numbers may be redacted instead of encrypted.

Storage

No encryption is required for the storage of Internal Data. Care should still be taken to protect the integrity of Internal Data. No encryption is required for the storage of Public Data. Care should still be taken to protect the integrity of Public Data. Encryption is strongly recommended. If appropriate level of protection is not known, check with the data steward and/or UA Information Security before storing Confidential Data unencrypted. Third-party processing or storage services may receive or store Confidential data if UA has a valid contract with the vendor that specifies appropriate storage or Confidential Data. Encryption is required for storage of Regulated Data. Regulated numbers may be redacted instead of encrypted. 

 

 


 University of Arizona File Sharing Quick Reference Guide

KEY
green check - permittedPermitted
Yellow Padlock -- Allowed-Encryption Recommended Allowed- Encryption Recommended
red x - ProhibitedProhibited
  INTERNAL PUBLIC CONFIDENTIAL REGULATED
UNIVERSITY SERVICES
Box @ UA green check - permitted green check - permitted green check - permitted red x - Prohibited
G Suite for Education green check - permitted green check - permitted Yellow Padlock -- Allowed-Encryption Recommended red x - Prohibited
UITS File Servers green check - permitted green check - permitted Yellow Padlock -- Allowed-Encryption Recommended red x - Prohibited
OTHER SERVICES
Dropbox green check - permitted green check - permitted red x - Prohibited red x - Prohibited
Evernote green check - permitted green check - permitted red x - Prohibited red x - Prohibited
Google Drive green check - permitted green check - permitted red x - Prohibited red x - Prohibited
iCloud green check - permitted green check - permitted red x - Prohibited red x - Prohibited
Office 365 green check - permitted green check - permitted red x - Prohibited red x - Prohibited
NOTE:  Some unit IT groups have deployed solutions suitable for REGULATED data. If you need to process, transmit, or store REGULATED data please contact your local IT support staff for assistance.
 

 Description of Services Provided by Central IT Operations

  • Box @ UA is an online cloud storage and collaboration tool that enables campus users to easily store, access and share files anytime, anywhere, from any device. It is available to faculty and staff for storing or sharing Confidential, Public or Internal data.  For more information, go to Box@UA.
  • G Suite for Education is available for sharing teaching and learning files among faculty and students.  For more information, go to the Catmail page.
  • UITS file servers: Units may contract with UITS to store Confidential, Public, and Internal data on-campus file servers. Colleges, schools and departments may use file servers to manage staff and/or faculty content using mapped network drives, and can designate access on an individual, group, or departmental basis.

Caution: When sharing and storing files, ensure access is limited to only individuals for whom the information is intended.

For information or guidance on data classification and handling, please contact UA Information Security at (520) 621-8476 or infosec@email.arizona.edu.