Description

Data classification provides a framework for managing data assets based on value and associated risks. It also guides the application of the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All electronic data should be classified.
Draft Guidance

ADDED 

  • Section 1.3 related to responsibility for maintaining accurate inventory for restricted and confidential data and sharing with Division of IT
  • Section 1.4 clarifying that classification categorization may be reviewed by CISO 

REMOVED

  • Section 2.1.1 is deleted and Restricted Data description moved to local control classification to be developed
  • Section 2.1.2 is deleted and Confidential Data description moved to local control classification to be developed
  • Section 2.1.3 is deleted and Controlled Data description moved to local control classification to be developed
  • Section 2.1.4 is deleted and Public Data description moved to local control classification to be developed
  • Original Section 2.2 deleted and reference to User ID is moved to Control IA-2.

MODIFIED

  • Description is revised to clarify classification is for electronic data
  • Section 1.2 is shortened for clarity.
  • Section 2.1 is shortened for clarity
  • Section 2.3 is revised to delete specific mention of Social Security Numbers, and provide mitigation measures for all Restricted and Confidential information: Encryption and Datal Loss Prevention measures.

Applicability

  • This Control applies to all information resource owners, custodians, and users. It also applies to information resources storing University Data regardless of ownership of the particular storage device. Other federal, state, or contractual requirements may be more restrictive than the procedures specified in this Control (example: Classified National Security Information). In no situation can procedures regarding security of data be less restrictive than this control, regardless of the contract or agreement specifications.

Implementation

  • 1

    RESPONSIBILITIES

    • 1.1

      It is the responsibility of anyone (e.g., owner, custodian, user) having University Data in their possession or under their direct control (e.g., manages the storage device) to know the classification category of the data and to ensure the appropriate safeguards are in place. Anyone possessing confidential data, or who has such data under their direct control, shall ensure that appropriate risk mitigation measures are in place to protect the data from unauthorized exposure.

    • 1.2

      The University is responsible for defining all information classification categories. The owner of an information resource is responsible for determining the classification category for business function information.

    • 1.3

      The owner of an information resource is responsible for maintaining an accurate inventory of any information resources storing or processing restricted or confidential data, and sharing that inventory with the Division of Information Technology Risk Management office.

    • 1.4

      The final determination of classification categories may be subject to review by the office of the Vice President for Information Technology and Chief Information Officer as delegated by the President.

  • 2

    PROCEDURES

    • 2.1

      University Data is to be classified as Restricted, Confidential, Controlled, or Public based on the university's published Data Classification Standard. Information resources owners, or designees, shall identify (location and owner) and categorize data at least annually. For restricted, confidential, or controlled categories, the location, category, and owner shall be documented. This should be accomplished in conjunction with the annual risk assessment process. The purpose of this identification and categorizing process is to determine the appropriate security controls needed to protect university data.

    • 2.2

      Before deploying a website or mobile application that may processes confidential information, the information resource custodian must ensure a vulnerability and penetration test is conducted by the Division of IT security team or a third party vendor approved by the Division of IT security team. The following information must then be submitted to the Office of the Chief Information Security Officer (CISO):

      • 2.2.1

        The architecture of the website or mobile application;

      • 2.2.2

        The authentication mechanisms used in the website or mobile application; and

      • 2.2.3

        Any individuals with access to the restricted or confidential data; and

      • 2.2.4

        The assessment and penetration test results.

    • 2.3

      Restricted and confidential information requires specific security considerations. The following mitigation measures must be followed for systems that store or process restricted or confidential data:

      • 2.3.1

        Use of file encryption or whole-disk encryption software.

      • 2.3.2

        Appropriate use of data loss prevention software provided and managed by the Office of the CISO.

    • 2.4

      Classified National Security Information (“Classified”) will be more closely managed than most other data.

      • 2.4.1

        Any entity that has a need to work with “Classified” information shall obtain approval from the Texas A&M System Facility Security Officer (FSO) prior to finalizing any contracts or agreements.

      • 2.4.2

        Any entity that has a need to work with “Classified” information shall follow the requirements of the governing contract and the direction provided in Texas A&M System Regulation 15.99.02 Classified Information which may be more restrictive than the procedures in this Control.