University Information Classifications

University Information Classifications

The University processes data with enormous breadth and depth. University information classifications categorize this data based on its risks so that security controls and procedures can be applied appropriately.

University information includes any information used in support of the administration or missions of the University.

University information is classified by its data steward in accordance with the University Information Classification Policy. Classifications reflect information confidentiality risks.

All end users of University information are responsible for protecting information according to its classification.


University information classifications

University information is classified according to its confidentiality risks and the potential impact to the University, individuals, or other stakeholders if confidentiality were to be breached.

Optionally, data stewards or unit heads may require that University information or IT devices be managed as though they were of a higher classification due to their criticality risks. In these cases, the University information or IT device is effectively classified at a higher University information classification.

Level I
Low Risk

Risks:

Unintentional, unlawful, or unauthorized disclosure presents limited or no risk.


Examples:

  • Publicly released information
  • Directory information
  • General access data
  • Data with low confidentiality, integrity, and availability concerns

Protection requirements:

  • May be shared publicly

Level II
Moderate Risk

Risks:

Unintentional, unlawful, or unauthorized disclosure presents moderate risk.


Examples:

  • FERPA records
  • HR information
  • Non-public applicant and donor information
  • Legal investigation records
  • Unpublished intellectual property (including research data)
  • Unpublished University business information
  • Other information as specified by contractual, legal, or other requirements

Protection requirements:

  • Share only with those who "need to know"

Level III
High Risk

Risks:

Unintentional, unlawful, or unauthorized disclosure presents significant risk.


Examples:

  • Social Security Numbers
  • Personally Identifiable Information (PII): First initial or name and last name in combination with any of the following:
    • Social Security number
    • Driver's license number or state-issued ID card number
    • Alien registration or government passport number
    • Account number, or credit or debit card number, in combination with any required security code, access code, PIN, or password needed to access an account.
  • Driver's license number, passport or Visa number, or financial account numbers
  • Protected health information (PHI/ePHI)
  • Export-restricted data
  • Human subject data
  • UDelNet passwords
  • Encryption keys
  • Other information as specified by contractual, legal, or other requirements

Protection requirements:

  • Encrypt at rest and in transit
  • Access, process, store, and transmit only using managed computers
  • Do not use cloud services to access, process, store, or transmit unless those services are explicitly approved for that data