Description

University-Internal (formerly Controlled) data is information that may be accessed by eligible employees in the course of university business. This information is not generally created for or made available for public consumption, but it may be subject to public disclosure through the Texas Public Information Act or similar laws. Such data must be appropriately protected to ensure lawful release.
Guidance

Corresponding Texas A&M System Classification: Controlled

The Texas A&M University-Internal classification and the TAMU System Controlled classification are not related to the federal category of Controlled Unclassified Information (CUI). At Texas A&M, any CUI data that is regulated under 32 CFR Part 2002 is classified as Critical, and carries specific requirements. See security control DC-6.

Applicability

  • Examples of University-Internal data include, but are not limited to:

  • PERSONAL DATA

    • ● Standalone employee information that is not paired with another personal identifier (not defined as Sensitive Personal Information by Texas Government Code §521.002)
      ● Personal contact information (email address, telephone number, etc)

  • FINANCIAL DATA

    • ● University budget information

  • RESEARCH DATA

    • ● General research information
      ● Certain types of data associated with research activities, but outside the definition of research data: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews or communications with colleagues.
      ● Patent applications and work papers

  • ADMINISTRATIVE DATA

    • ● Non-public administrative or operational data (e.g. employee evaluations, asset listings and locations, emergency contact information, etc.)
      ● Building plans and information about the university physical plan
      ● Unit internal policies, procedures and/or standards
      ● Internal meeting information, working notes or documents
      ● Proprietary training materials

Implementation

  • 1

    ACCESS

    • 1.1

      Access to University-Internal data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.

    • 1.2

      In accordance with security control MA-2, any University-Internal data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

  • 2

    STORAGE

    • 2.1

      For all information resources that store or process University-Internal information, the impact level of the resources should be carefully considered. In accordance with SAP 29.01.03.M0.05, moderate and high impact information resources must reside in a Texas A&M enterprise data center.

    • 2.2

      There are no requirements for the encryption of University-Internal data at rest.

  • 3

    TRANSMISSION

    • 3.1

      In accordance with security controls SC-8 and SC-13, University-Internal data must be encrypted in transit.

    • 3.2

      In accordance with security control SC-8, University-Internal data transmitted in an email message must be encrypted.

  • 4

    MONITORING

    • 4.1

      In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information systems containing University-Internal data must enable effective logging and monitoring of system and security events.

  • 5

    INCIDENT REPORTING

    • 5.1

      In accordance with security control IR-6, any known or suspected unauthorized disclosure of University-Internal data must be reported to the CISO.

    • 5.2

      In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of University-Internal data must be reported to the CISO.

  • 6

    DISPOSAL

    • 6.1

      In accordance with security control MP-6 and MA-2, information resources containing University-Internal data must be sanitized prior to disposal or surplus.