Description
In classifying data, the university:
- Uses a risk-based approach to help information resource owners and users identify the data they use, understand its level of sensitivity, and learn how to best secure it.
- Seeks to balance protecting the confidentiality, integrity, and availability of 'university data', recognizing the need for collaboration and sharing of knowledge across campus and the world.
Applicability
-
The data classifications in these controls (Data Classification) apply to all Texas A&M University data, regardless of its location or provenance. Generally, this means data that is stored, processed, or transmitted on any information resources where university business occurs. This includes, but is not limited to, all university information resources, resources owned or managed by state agencies, or resources owned or managed by third parties (e.g., business associates, cloud service providers, vendors, or contractors).
Implementation
-
1
It is the responsibility of anyone who has university data in their possession, or under their direct control, to ensure that appropriate risk mitigation measures are in place to protect such data from unauthorized exposure.
-
2
It is the responsibility of the university CISO, in coordination with information resource owners, to develop and publish a set of controls that addresses the classification and management of university data.
-
3
When a specific set of data is classified as fitting within a combination of two or more of the data classifications, that data shall be managed according to the more restrictive classification.
-
4
Under this data classification model, data is classified in accordance with federal and state regulations, System standards, and other contractual requirements. This data classification model in no way supersedes any state or federal government classifications.
-
5
Texas A&M University data shall be classified into one of four classification levels, each of which implies an increasing level of sensitivity, and subsequently requires increasingly strict security controls:
-
5.1
Public. Data that is openly available to the public. Few restrictions are placed on this type of data. See security control DC-3.
-
5.2
University-Internal (formerly Controlled). Data that may be accessed by eligible employees in the course of university business. This data may be releasable to the public upon request, but requires protection and evaluation to ensure lawful release. See security control DC-4.
-
5.3
Confidential. Data that is restricted because of legal, ethical, or other constraints, and may not be accessed without specific authorization. Improper release would have a significant adverse impact to the university, and may be subject to notification requirements. See security control DC-5.
-
5.4
Critical (formerly Restricted). Data that can likely result in criminal or civil penalties if inappropriately handled. This is the highest level of classification for data, and use is limited to explicitly designated individuals with a stringent business requirement. See security control DC-6.
-
5.1