Objective:
This provides guidance for categorizing specific information types (for example: Confidential Information) at the University of Tennessee Institute of Agriculture (Institute).
Scope:
This guide applies to all IT assets owned, operated, or provided by the Institute, as well as all students, faculty, staff, and users, while accessing, using, or handing the Institute’s IT assets. Users of the Institute’s IT assets are accountable for giving timely and accurate information. The Institute’s IT representatives are responsible for assisting users with the classification process.
Guidance:
The following information types and associated levels shall be used in the classification of systems and data at the Institute. This classification is for any data other than your own data or your family’s data.
Student Data:
All data deemed as FERPA controlled – Moderate
- Academic Transcripts
- Student Biographical Information
- Scholarship Information that includes student name
- Grade Rolls
- Course Schedule that includes student name
- Advising Notes that includes student name
Financial:
Procurement, Credit, or Debit Card Numbers (not related to PCI) – Moderate Payment Card Industry (PCI) Information – Moderate
Payroll Information – Moderate
Point of Sale (POS) Transactions – Moderate
Donor Information that includes Personally Identifiable Information (PII) – Moderate Wire Transfer Information – Moderate
Personally Identifiable Information (PII):
Any information deemed under state law defined as PII – Moderate
- Tennessee Code Annotated Title 47 – Commercial Instruments and Transactions Chapter 18 – Consumer Protection Part 21 – Identity Theft § 47-18-2107. Release of personal consumer information.
- “Personal information” means an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements, when either the name or the data elements are not encrypted (i) Social security number; (ii) Driver license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Human Health and Medical:
Medical Record – High
Patient Diagnosis – High
Medical Payment Information – High
Electronic Protected Health Information (ePHI) – High
Research Information:
Legally Protected Research Grant Information – Moderate Export Controlled Data – High
Other:
Legally Protected Data – Moderate
References:
UTIA Glossary of Information Technology Terms
UTIA IT0115 – Information and Computer System Classification Policy UT Policy
IT0115 – Information and Computer System Classification
For more information, contact Sandy Lindsey, CISO, at (865) 974-7292, or email sandy@tennessee.edu.
Approval
We approve UTIA IT0115P – Organizational Guidance for the Classification of Information and Systems as described in this document.