UTIA IT0115P – Organizational Guidance for the Classification of Information and Systems

Objective:

This provides guidance for categorizing specific information types (for example: Confidential Information) at the University of Tennessee Institute of Agriculture (Institute).

Scope:

This guide applies to all IT assets owned, operated, or provided by the Institute, as well as all students, faculty, staff, and users, while accessing, using, or handing the Institute’s IT assets. Users of the Institute’s IT assets are accountable for giving timely and accurate information. The Institute’s IT representatives are responsible for assisting users with the classification process.

Guidance:

The following information types and associated levels shall be used in the classification of systems and data at the Institute. This classification is for any data other than your own data or your family’s data.

Student Data:

All data deemed as FERPA controlled – Moderate

  • Academic Transcripts
  • Student Biographical Information
  • Scholarship Information that includes student name
  • Grade Rolls
  • Course Schedule that includes student name
  • Advising Notes that includes student name

Financial:

Procurement, Credit, or Debit Card Numbers (not related to PCI) – Moderate Payment Card Industry (PCI) Information – Moderate

Payroll Information – Moderate

Point of Sale (POS) Transactions – Moderate

Donor Information that includes Personally Identifiable Information (PII) – Moderate Wire Transfer Information – Moderate

Personally Identifiable Information (PII):

Any information deemed under state law defined as PII – Moderate

  • Tennessee Code Annotated Title 47 – Commercial Instruments and Transactions Chapter 18 – Consumer Protection Part 21 – Identity Theft § 47-18-2107. Release of personal consumer information.
    1. “Personal information” means an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements, when either the name or the data elements are not encrypted (i) Social security number; (ii) Driver license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
    2. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Human Health and Medical:

Medical Record – High
Patient Diagnosis – High
Medical Payment Information – High
Electronic Protected Health Information (ePHI) – High

Research Information:

Legally Protected Research Grant Information – Moderate Export Controlled Data – High

Other:

Legally Protected Data – Moderate

References:

UTIA Glossary of Information Technology Terms
UTIA IT0115 – Information and Computer System Classification Policy UT Policy
IT0115 – Information and Computer System Classification

For more information, contact Sandy Lindsey, CISO, at (865) 974-7292, or email sandy@tennessee.edu.

Approval

We approve UTIA IT0115P – Organizational Guidance for the Classification of Information and Systems as described in this document.