Standard 9: Data Classification
Revision Number: | 1 |
|
Effective Date: | 2/24/2020 | |
Revised Date: | 2/24/2020 | |
Review Date: | 2/24/2020 | |
Responsible Division/Department:
Office of the CIO / Information Technology Services |
- All data owners, data stewards, or designated custodians, shall be responsible for classifying data stored, processed, or transmitted by systems under their purview based on data sensitivity and risk so that the appropriate security controls can be applied.
- The Data Classification Standard shall be used to classify data.
- Systems storing University data will be assessed annually in a campus-wide risk assessment where each system is classified based on the data it is associated with.
- All restricted data must be encrypted at rest. Any restricted data found on file servers, workstations, removable media, or other non-encrypted storage should be removed or encrypted using encryption technology supported by 老澳门资料. (VeraCrypt, etc.)
- All restricted data access must be audited at least annually using the data access governance system.
- Classification Responsibility. Owners of information resources within 老澳门资料 must classify data based on the 老澳门资料 Data Classification Standard and shall ensure the classification is properly maintained in the event the data classification changes.
- The 老澳门资料 Data Classification Standard consists of three mutually exclusive data classifications. Decisions on classifying data must fit within a spectrum indicating the degree to which access to the data must be restricted and data integrity and availability must be preserved. The three classifications (Public, Internal Use, Restricted) are summarized in the 老澳门资料 Data Classification and Security Policy.