Skip to Main content

Data Classification Standard

  1. Scope

    All information stored on university information systems, or other information systems where university business occurs, must be classified into one of the three categories. Based on the data classification determined for the system, appropriate technical security measures to protect the data are required. Category-1 data has more stringent requirements than Category-2 and Category-3. All systems require some protective measures.

    All categories of university information may be stored on non-university information systems as long as the information is verifiably protected according to the respective university minimum security standards and approved by the information owner and ISO. Personal information stored on a university system as a result of incidental use is not considered university data. Personal use of university information describing or pertaining to only you, is not governed or defined by this standard. At the same time, these rules describe good practices to help protect your personal information.

  2. Information Classification

    This standard is based solely on the confidentiality aspect of information. Information that is confidential must be protected against unauthorized exposure as required by law, regulation, or statute. Only authorized persons are allowed to access or change confidential information. Information systems are considered to be assets of the university. They are classified according to the risks associated with the data being stored or processed. Information at the highest risk needs the greatest amount of protection to prevent unauthorized exposure; information at lower risk can be given proportionately less protection. To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data. Note: Passwords and other security control specifics must be classified at same level as the highest category of information they protect.

    1. Category 1– Information whose confidentiality is protected by federal or state law, university or system rules or regulations that assess administrative, punitive, or monetary penalties (e.g. HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, Texas Identity Theft Enforcement and Protect Act, Texas Tech University System policies) and whose exposure will likely cause great harm to the university and the individuals to whom the information refers. Also includes information that is not protected by a known civil statute or regulation, but which must be protected because of contractual agreements requiring confidentiality considerations. More examples can be found in Appendix A.
      Examples of How Data Can Be Exposed
      • Laptop or other data storage system stolen from car.
      • Research Assistant accesses system after leaving research project because passwords are not changed.
      • Unauthorized visitor walks into unlocked lab and steals equipment or accesses unsecured computer.
      Impact of Category-1 Data Exposure
      • Long-term loss of research funding.
      • Long-term loss of reputation.
      • Unauthorized release of research data.
      • Monetary penalties from regulatory requirements.
      • Individuals put at risk for identity theft.
    2. Category 1a – Information protected specifically by federal or state law, university or system rules or regulations (e.g., FERPA) which, if exposed, would likely result in substantial harm to the university, but for which there are no proscribed administrative, punitive, or monetary penalties. Exposure may lead to loss of reputation and reduced enrollment. More examples can be found in Appendix B.
    3. Category 2 – Information related directly to or proceeding from the operation and administration of the university and normally restricted to university employees, but which is releasable in accordance with the Texas Public Information Act (e.g. contents of specific email, date of birth, salary, etc.). Such information must be appropriately protected to ensure a controlled and lawful release.
      Examples of How Data Can Be Exposed
      • Staff member releases information without proper authorization.
      Impact of Category-2 Data Exposure
      • Tarnished reputation.
      • Loss of research funding.
    4. Category 3 –Information which is generally publicly available or appropriately and intentionally made public by the university. Information in this category has no requirement for confidentiality.
      Examples of How Data Can Be Exposed
      • Laptop or other data storage system stolen from car.
      Impact of Category-3 Data Exposure
      • Loss of your personal data with no impact to the university.
    Required Controls
    Systems that store or process Category-1 information must, at a minimum meet the following criteria:
    • Must use a complex password (using 3 of 4 of the following: uppercase letters, lowercase letters, numerals, special characters) to access the device’s operating system and data.
    • Must encrypt Category 1 data whether on internal or external storage (using direction from the ASU Acceptable Encryption Standard) or use data center physical security controls.
    • Must encrypt all Category 1 data transferred to and from the system using minimum encryption standards per ASU Acceptable Encryption Standard.
    • Have antimalware software installed to regularly update itself and automatically clean malware from the system.
    • Must be configured to allow remote wipe, if the system allows.

    Category 1 information sent via email must be encrypted, or otherwise protected, so that only the authorized recipients can view the information. The information required to decrypt the message, such as the password, must not be included in the same message. Contact the IT Service Center or see the ASU Acceptable Encryption Standard for implementation details.

    Systems that store or process Category 1a university information must, at a minimum, meet the following criteria:
    • Whole disk/device encryption is not required, but still strongly recommended for Category 1a using minimum encryption standards per ASU Acceptable Encryption Standard.
    • Must use, at a minimum, a PIN or complex password (using 3 of 4 of the following: uppercase letters, lowercase letters, numerals, special characters) to access the device’s operating system and data.
    • Must encrypt all Category 1a data sent to and from the device (see ASU Acceptable Encryption Standard).
    • Must have antimalware software installed to regularly update itself and automatically clean malware from the system.
    • Must be configured to allow remote wipe, if the system allows.
    Systems that store or process Category 2 university information must, at a minimum, meet the following criteria:
    • Must use, at a minimum, a PIN, gesture lock, biometrics, or a password to access the device’s operating system and data.
    • Whole disk/device encryption is not required, but still strongly recommended for Category 2. See ASU Acceptable Encryption Standard for implementation details.
    Systems that store or process Category 3 university information must, at a minimum, have antimalware software installed to regularly update itself and clean malware from the system.  The controls for higher category information are not required, but still recommended.

    Appendix A

    Extended List of Category-1 Data

    This document provides an expanded list of examples of data classified as category-1 data. This list is provided to help owners and custodians with a way to evaluate the level of protections required for their systems.

    This list is not all-inclusive, and it does not cover the authorized release of information.

    Patient Medical/Health Information (HIPAA)

    The following information is confidential if associated with specific individuals:

    • Social Security number
    • Patient names, street address, city, county, zip code, telephone / fax numbers
    • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
    • Personal vehicle information
    • Certificate / license numbers, device IDs and serial numbers, email, URLs, IP addresses
    • Access device numbers (card number, building access code, etc.) that protect Patient Medical/Health Information
    • Biometric identifiers and full face images
    • Any other uniquely identifying number, characteristic, or code
    • Payment Guarantor’s information

    Donor/Alumni Information (OPP, Texas Identity Theft Enforcement and Protection Act, HIPAA, Texas Public Information statutes)

    The following information is confidential if associated with specific individuals:

    • Social Security number
    • Name
    • Personal financial information
    • Family information
    • Medical information
    • Credit card numbers, bank account numbers, amount / what donated
    • Telephone / fax numbers, email, URLs

    Research Information (Granting Agency Agreements, Other IRB Governance)

    The following information is confidential if associated with specific individuals:

    • Human subject information
    • Sensitive digital research data

    Contact the Office of Sponsored Projects for information on research involving human subjects. See Research Compliance for more information.

    Employee Information (Texas Identity Theft Enforcement and Protection Act - Business & Commerce Code 521)

    There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

    The following employee information is confidential if associated with specific individuals:

    • Social Security number
    • Personal financial information, including non-ASU income level and sources
    • Information exposing details of employee use of benefits or health information pertaining to the use of benefits
    • Access device numbers (card number, building access code, etc.) that protect Employee Information
    • Biometric identifiers
    • Family information, home address, and home phone number may be released unless restricted by the employee (per Government Code 552.117). ASU employees can restrict this information by contacting the Office of Human Resources

    Please note that information considered public, such as employee names, birth dates, salary, and performance review information, would be released under an open records request.

    Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure agreement)

    The following information is confidential if associated with specific individuals:

    • Vendor Social Security number
    • Credit card information
    • Contract information (between ASU and a third party)
    • Access device numbers (card number, building access code, etc.) that protect Business/Vendor Data protected by GLBA
    • Biometric identifiers
    • Certificate / license numbers, device IDs and serial numbers, email, URLs, IP addresses

    Other Institutional Data (Gramm-Leach-Bliley Act, Other Considerations)

    The following information is confidential if associated with specific individuals:

    • Financial records
    • Contracts
    • Physical plant detail
    • Credit card numbers
    • Certain management information
    • Critical infrastructure detail
    • User account passwords

    Payment Card Industry Data Security Standard (PCI DSS)

    The following information involving credit card numbers is confidential if associated with specific individuals:

    • Personal Account Number or PAN (credit card number)
      • Name if stored with PAN
      • Service Code
      • Expiration Date
    • Magnetic stripe data

    Appendix B

    Extended List of Category-1a Data

    This document provides an expanded list of examples of data classified as category-1a data. This list is provided to help owners and custodians with a way to evaluate the level of protections required for their systems.

    This list is not all-inclusive, and it does not cover the authorized release of information.

    Student Records (FERPA)

    The following information is confidential. This applies to both enrolled and prospective student data.

    • Grades (including test scores, assignments, and class grades)
    • Bank accounts, wire transfers, payment history, financial aid/grants, student bills
    • Access device numbers (card number, building access code, etc.) used to protect student records information
    • Internal ID numbers (campus ID/CID)

    Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise by using Office of the Registrar approved methods:

    • Student name
    • Local and permanent mailing address
    • Photograph
    • Major and minor fields of study
    • Participation in recognized activities and sports
      • weight and height of members of athletic teams
      • team photographs
    • Dates of attendance
    • Classification
    • Enrollment status
    • Degree candidate
    • Degrees
    • Awards and honors received, type of award/honor
    • Previous educational agencies and institutions attended
    • Hometown

    For more information, see Angelo State University’s FERPA Web page.