Description
Corresponding Texas A&M System Classification: Controlled
The Texas A&M University-Internal classification and the TAMU System Controlled classification are not related to the federal category of Controlled Unclassified Information (CUI). At Texas A&M, any CUI data that is regulated under 32 CFR Part 2002 is classified as Critical, and carries specific requirements. See security control DC-6.
Applicability
-
Examples of University-Internal data include, but are not limited to:
-
PERSONAL DATA
-
● Standalone employee information that is not paired with another personal identifier (not defined as Sensitive Personal Information by Texas Government Code §521.002)
● Personal contact information (email address, telephone number, etc)
-
-
FINANCIAL DATA
-
● University budget information
-
-
RESEARCH DATA
-
● General research information
● Certain types of data associated with research activities, but outside the definition of research data: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews or communications with colleagues.
● Patent applications and work papers
-
-
ADMINISTRATIVE DATA
-
● Non-public administrative or operational data (e.g. employee evaluations, asset listings and locations, emergency contact information, etc.)
● Building plans and information about the university physical plan
● Unit internal policies, procedures and/or standards
● Internal meeting information, working notes or documents
● Proprietary training materials
-
Implementation
-
1
ACCESS
-
1.1
Access to University-Internal data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.
-
1.2
In accordance with security control MA-2, any University-Internal data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.
-
1.1
-
2
STORAGE
-
2.1
For all information resources that store or process University-Internal information, the impact level of the resources should be carefully considered. In accordance with SAP 29.01.03.M0.05, moderate and high impact information resources must reside in a Texas A&M enterprise data center.
-
2.2
There are no requirements for the encryption of University-Internal data at rest.
-
2.1
-
3
TRANSMISSION
-
4
MONITORING
-
5
INCIDENT REPORTING
-
5.1
In accordance with security control IR-6, any known or suspected unauthorized disclosure of University-Internal data must be reported to the CISO.
-
5.2
In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of University-Internal data must be reported to the CISO.
-
5.1
-
6
DISPOSAL