Overview   View Printable Version

Information assets are some of the most valuable assets owned by the University of Georgia (UGA). UGA produces, collects, and uses many different types of information in fulfilling its mission. Laws and institutional policy mandate privacy and protection of certain information, and the University's need to manage the risks to its reputation and to its constituents requires the protection of other information. Classifying information is the first step in determining the information's need for protection.

Purpose

This standard is intended to help UGA employees--particularly data owners, data managers, and data users--classify information for the purposes of determining its need for protection and determining applicable policies and laws.

For example, the 2005 Securing Sensitive Data Initiative tasks all UGA departments with the "Identification and inventory of critical/sensitive servers/data." This standard should help UGA employees determine which information and information systems to identify and inventory.

Scope

This standard can be used to classify (i) any information system or (ii) any piece of information that is stored, processed, or transmitted by UGA. The standard applies to all types of information:

• Electronic information,
• Information on paper and
• Information shared orally, visually or by other means.

Method

To classify information or information systems, match the information to one of the three categories which best describes its need for confidentiality and integrity (Sensitivity) and one of the three categories which best describes its need for availability (Criticality) in the context of risk to UGA's mission. The categories are:

	Sensitivity Need for confidentiality or integrity	Criticality Need for availability
Requires more protection	Sensitive	Critical
Requires protection	Internal	High-priority
Requires less protection	Public	Supportive

Format

Information or information systems will be labeled according to the following format: Information (Sensitivity, Criticality) or System (Sensitivity, Criticality)

Examples

• Student grades (Sensitive, Critical)
• Email system (Internal, Critical)
• Course materials (Public, Supportive)

Classifying Information Systems with Multiple Categories of Information

When classifying an information system that uses multiple categories of information, use the category that requires the highest level of protection. For example, a supportive file server that stores both internal documents and documents intended for public consumption should be classified as:

• File server (Internal, Supportive)

Help

UGA employees can contact the Office of Information Security for guidance on the application of this standard.

Sensitive Information

Sensitive Information has the highest need for protection. In some cases, protection may be mandated by law. Confidentiality and integrity of this information must be rigorously protected.

Characteristics of Sensitive Information

• Compliance Risk: Protection of information is mandated by law (FERPA, HIPAA, GLBA) or required by private contract (PCI DSS).
• Reputation Risk: Loss of confidentiality or integrity will cause significant damage to UGA's reputation. For example, loss of social security numbers or defacement of the UGA website would likely be a news item that would appear in the media.
• Other Risks: Loss of confidentiality that could cause harm to individuals such as UGA students, personnel, donors, and partners. Loss of confidentiality or integrity that would cause UGA to incur significant costs in response.
• Treatment in Open Records Requests: Sensitive information is typically redacted from open records disclosures.

Examples of Sensitive Information

• Social security numbers, and other identifying numbers
• Student records and prospective student records
• Patient health information and employee insurance information
• Credit card numbers, P-Card numbers, and other PCI data
• Financial aid information
• Bank account numbers
• Donor and alumni records
• Critical infrastructure information (physical plant detail, IT systems information, system passwords, information security plans, etc.)
• Research information related to sponsorship, funding, human subject, etc.
• Information protected by non-disclosure agreements (NDAs) or similar private contracts
• Law enforcement and investigative records
• UGA ID Number (also known as the CAN or 810 Number)

Internal Information

Internal information is intended for use by UGA only. Confidentiality of this information is preferred, but information generally can be made available to the public by open records request. The information is very valuable to the institution, so integrity of the information should be rigorously protected.

Characteristics of Internal Information

• Compliance Risk: Protection is not mandated by law or contract, but is required by institutional policy, such as the UGA Privacy Policy, or strongly encouraged by best practices and guidelines.
• Reputation Risk: Loss of confidentiality or integrity might cause moderate damage to UGA's reputation.
• Other Risks: Loss of confidentiality or integrity may cause UGA to incur some moderate costs in response.
• Treatment in Open Records Request: Information is typically subject to disclosure via open records request.

Examples of Internal Information

• Employee information such as performance evaluations
• Employee time records
• Internal e-mail and other such correspondence
• Most internally produced documents
• Internal accounting information
• Student records that are NOT personally identifiable and used by authorized agents for purposes of research, trending, etc.

Public Information

Public information is intended for public consumption or has no need for confidentiality. Still, the information is valuable to the university and the information needs to be accurate, so steps should be taken to assure the integrity of the information.

Characteristics of Public Information

• Compliance Risk: Data is not required to be protected by law, contract, or institutional policy.
• Reputation Risk: Loss of confidentiality or integrity represents little to no risk to institutional reputation.
• Other Risks: Loss of integrity of public data (e.g. defacement of a public web site) could result in some minimal costs to respond to the incident.
• Treatment in Open Records Request: Data is already available to the public or can readily be made available to the public via an open records request.

Examples of Public Information

• Directory information (In few cases this may be considered Sensitive under FERPA)
• Policies and procedures
• Information on public web sites
• Press releases and other information in the media
• Academic calendar, bulletin, and other such schedules
• University plans
• Campus map
• Any other information made available to the public

Critical Information

Critical Information has the highest need for availability. If the information is not available due to downtime, deletion, destruction, etc., the University's functions and mission would be impacted. Availability of this information must be rigorously protected.

Characteristics of Critical Information

• Risk to Life: Loss of availability will create increased risk to life or otherwise create risk to individuals (e.g. health care information or UGAAlert system)
• Mission Risk: Short to medium term (immediate to a few days) loss of availability or downtime would preclude the University of Georgia (or University System of Georgia and other state or federal agencies) from accomplishing its (their) core functions or mission.
• Compliance Risk: Availability of information is mandated by law (FERPA, HIPAA, GLBA) or required by private contract (PCI DSS).
• Reputation Risk: Loss of availability will cause significant damage to UGA's reputation. For example, unavailability of the UGA website could potentially cause negative publicity for the university
• Other Risks: Loss of availability would cause UGA to incur significant costs in response.

Examples of Critical Information

• E-mail or other central communications
• Student Records
• Emergency notification systems
• Research computing information

High-priority Information

Availability of information is necessary for departmental function and must be protected. If information is unavailable for long periods of time, there may be impact to University-wide function.

Characteristics of High-priority Information

• Mission Risk: Loss of availability or downtime would preclude an individual Department/Unit/College from accomplishing a core function or its mission, or long term (a month or more) loss of availability may impact University-wide function.
• Compliance Risk: Availability is not mandated by law or contract, but may be required by internal contracts and service level agreements (SLA).
• Reputation Risk: Loss of availability might cause moderate damage to UGA's reputation.
• Other Risks: Loss of availability may cause UGA to incur some moderate costs in response.

Examples of High-priority Information

• Departmental business records
• Backup source of critical information
• Departmental work flow

Supportive Information

Supportive information is necessary for day-to-day operations, but is not critical to the University's or to a Department/Unit/College's mission or core functions. This information requires the less protection.

Characteristics of Supportive Information:

• Mission Risk: Loss of availability impacts only Department/Unit/College's day-to-day operation or the individual data owner.
• Compliance Risk: Data is not required to be available by law, contract, or institutional SLA.
• Reputation Risk: Loss of availability represents little to no risk to institutional reputation.
• Other Risks: Loss of availability may cause UGA to incur some minimal costs in response.

Examples of Supportive Information

• Departmental information
• Course materials
• Meeting minutes
• Workstation-level images and backups

The Office of the CIO and the ITMF-SECCOM will collaboratively review this standard on an annual basis.

Related policies and Procedures

• 2005 Securing Sensitive Data Initiative - UGA units must inventory and assess all systems that store sensitive data.
• UGA Privacy Policy - Establishes the need to protect the privacy of individuals who have personal information stored on UGA owned assets.
• UGA Ferpa Policy - policy regarding student rights with respect to their educational records

Definitions

• Data owner - The person responsible for the function or system that creates, stores, or uses the information.
• Data manager - The person responsible for implementing controls required by the data owner and supervising the data users that use the information.
• Data user - The person who uses or "touches" the information. Anyone with "read" or "write" access to the information.
• FERPA - The Family and Education Rights and Privacy Act. With a few exceptions, the act provides for confidentiality of student records unless a student has consented to disclosure of information.
• HIPAA - The Health Insurance Portability and Accountability Act. Title II of HIPAA mandates protection of patient health information.
• GLBA - Gramm-Leach-Bliley Act. An act that brings institutes of higher education under the jurisdiction of the Federal Trade Commission (FTC), the GLBA calls for the protection of personally identifiable financial records such as student loan records and credit card transaction records.
• PCI DSS - Payment Card Industry Data Security Standards. Private contractual obligation for those institutions using PCI credit cards. Non-compliance with requirements can result in large fines or suspension of usage rights for the institution.
• CIO - The University of Georgia's Chief Information Officer.
• ITMF - The University of Georgia's Information Technology Management Forum.
• SECCOM - A sub-committee of the ITMF focused on information security.

Credits

This standard was based on similar works:

• The University of Texas at Austin - Data Classification Standard
• Stanford University - Classification of Data
• EDUCAUSE - Data Classification Toolkit
• FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems