Data classification provides a framework for managing data assets based on value and associated risks. It also guides the application of the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All electronic data should be classified.


  • This Control applies to all information resource owners, custodians, and users. It also applies to information resources storing University Data regardless of ownership of the particular storage device. Other federal, state, or contractual requirements may be more restrictive than the procedures specified in this Control (example: Classified National Security Information). In no situation can procedures regarding security of data be less restrictive than this control, regardless of the contract or agreement specifications.


  • 1


    • 1.1

      It is the responsibility of anyone (e.g., owner, custodian, user) having University Data in their possession or under their direct control (e.g., manages the storage device) to know the classification category of the data and to ensure the appropriate safeguards are in place. Anyone possessing Critical or Confidential data, or who has such data under their direct control, shall ensure that appropriate risk mitigation measures are in place to protect the data from unauthorized exposure.

    • 1.2

      The University is responsible for defining all information classification categories. The owner of an information resource is responsible for determining the classification category for business function information.

    • 1.3

      The owner of an information resource is responsible for maintaining an accurate inventory of any information resources storing or processing Critical or Confidential data, and sharing that inventory with the Division of Information Technology Risk Management office.

    • 1.4

      The final determination of classification categories may be subject to review by the office of the Vice President for Information Technology and Chief Information Officer as delegated by the President.

  • 2


    • 2.1

      University Data is to be classified as Critical, Confidential, University-Internal, or Public based on the Data Classification Security Controls. Information resources owners, or designees, shall identify (location and owner) and categorize data at least annually. For Critical, Confidential, or University-Internal categories, the location, category, and owner shall be documented. This should be accomplished in conjunction with the annual risk assessment process. The purpose of this identification and categorizing process is to determine the appropriate security controls needed to protect university data.

    • 2.2

      Before deploying a website or mobile application that may processes Critical or Confidential data, the information resource custodian must ensure a vulnerability and penetration test is conducted by Technology Services security team or a third party vendor approved by the Technology Services security team. The following information must then be submitted to the Office of the Chief Information Security Officer (CISO):

      • 2.2.1

        The architecture of the website or mobile application;

      • 2.2.2

        The authentication mechanisms used in the website or mobile application; and

      • 2.2.3

        Any individuals with access to the Critical or Confidential data; and

      • 2.2.4

        The assessment and penetration test results.

    • 2.3

      Critical and Confidential data requires specific security considerations. The following mitigation measures must be followed for systems that store or process Critical or Confidential data:

      • 2.3.1

        Use of file encryption or whole-disk encryption software.

      • 2.3.2

        Appropriate use of data loss prevention (DLP) software provided and managed by the Office of the CISO.


        Appropriate use of DLP software means that it is installed on 1) End User Devices that 2) belong to units designated by the Office of the CISO. Units are designated when they store or process data that requires an elevated degree of monitoring. For more information contact the Endpoint Security team.

    • 2.4

      Classified National Security Information (“Classified”) will be more closely managed than most other data.

      • 2.4.1

        Any entity that has a need to work with “Classified” information shall obtain approval from the Texas A&M System Facility Security Officer (FSO) prior to finalizing any contracts or agreements.

      • 2.4.2

        Any entity that has a need to work with “Classified” information shall follow the requirements of the governing contract and the direction provided in Texas A&M System Regulation 15.05.01 Classified Information Management which may be more restrictive than the procedures in this Control.