SECTION 1. Policy Statement
- Objective
This policy provides guidance and structure for the University to properly categorize the University’s Data to ensure that the appropriate controls are in place to provide the most effective protections. - Categorization Policy
Each campus and institute must develop and maintain a formal documented program for the categorization of the University’s Data including any Data that is processed or stored on University-owned Assets, Systems, or Resources, including Data stored on Information Technology Service Provider systems. Data from third parties in use by University personnel must be categorized as defined by the third party Data owner. The program must adhere to the following guidelines at a minimum. This includes training and communication about the program requirements that encourages engagement by the User community.- The Data Owner is responsible for categorizing the University Data that they are responsible for. The categorization information must be communicated to the Data Steward, the Data Custodian, the Data Users, and the Central IT Department.
- Data Confidentiality Categorization: Data Owners will categorize the confidentiality of the University’s Data based on the following (see paragraph II. for examples):
- Public (Level 0) – The effect on confidentiality of the Data is minimal. Data that would fit into this category includes that which by law is available to the public without request.
- Internal Use Only (Level 1) – The effect on confidentiality of the Data is significant but does not include compliance issues. This includes Data that is protected against unwarranted disclosure whose protection may be required for legal, ethical, or proprietary considerations.
- Private (Level 2) – The effect on confidentiality of the Data is significant and includes compliance requirements. This Data is governed by federal, or state compliance requirements and unwarranted exposure can lead to compliance issues and/or fines. This includes all Data that contains personally identifiable information (PII), protected health information, student education records, and card holder Data.
- Restricted (Level 3) – The effect on confidentiality of the Data is based on federal-government regulated research definitions and requirements regarding unwarranted exposure or related to control Systems that support the University, but if subverted, could be life-threatening to University Employees (Employee), students, and others using University facilities.
- Data Integrity Categorization: Data Owners will categorize the integrity of the University’s Data based on the following (see section VII for examples):
- Level 0 – The effect on integrity of the Data is minimal. Data that would fit into this category includes Data that has no restriction on who can change it or when.
- Level 1 – The effect on integrity of the Data is significant but does not include compliance issues. This includes Data that is protected against unwarranted change including Protected University Data whose protection may be required for legal, ethical, privacy, or proprietary considerations.
- Level 2 – The effect on integrity of the Data is significant and includes compliance requirements. This Data is governed by federal, or state compliance requirements and unwarranted change can lead to compliance issues and/or fines. This includes, but is not limited to, all Data that contains personally identifiable information (PII), protected health information, student education records, and card holder Data.
- Level 3 – The effect on integrity of the Data is focused on federal-government regulated research definitions and requirements regarding unwarranted change or is related to control Systems that support the University, but if subverted, could be life-threatening to University Employees, students, and others using University facilities.
- Both confidentiality and integrity are evaluated and tracked individually and must be documented in a categorization inventory. If there are questions regarding the categorization, the Data and/or System owner must consult with the campus or institute’s CISO/DISL. The security controls that are implemented for the protection of all the University’s Data and Systems must be based on the categorization of the Data.
- Pre-Defined Data Categorization Definitions
- Any Data that has not been categorized by the Data Owner will be treated as Internal Use Only (Level 1) until it is properly categorized.
- The following Data types are required to be categorized as Internal Use Only (Level 1). Other Data may be categorized as Internal Use Only (Level 1) based on the required protection requirements:
- Employee performance reviews
- Tennessee Unique ID
- Building floor plans showing egress routes and shelter areas
- Faculty tenure recommendations
- Data flow and IT Network infrastructure diagrams
- The following Data types are required to be categorized as Private (Level 2). Other Data may be categorized as Private (Level 2) based on the required protection requirements:
- Family Educational Rights and Privacy Act (FERPA)
- Personally Identifiable Information (PII)
- Donor contact information and non-public donation amounts
- Sensitive Identifiable Human Subject Research Information (Human Subject)
- General Data Protection Regulation (GDPR)
- Personal Information Protection Law of the People’s Republic of China (PIPL)
- Partial Social Security Numbers
- The following Data types are required to be categorized as Restricted (Level 3). Other Data may be categorized as Restricted (Level 3) based on the protection requirements required:
- Social Security Number (SSN)
- VISA numbers
- Payment Card Industry (PCI) Data
- Financial account numbers such as banking or investment account numbers
- Protected Health Information (PHI) per the Health Insurance Portability and Accountability Act (HIPAA)
- Biometric information
- Gramm–Leach–Bliley Act (GLBA) Title IV loan Data
- Export Administration Regulation (EAR99)
- Controlled Unclassified Information (CUI)
- Export-Controlled Information (ITAR, EAR)
- Trade secret or Intellectual Property protected by a non-disclosure agreement
- Passwords, passphrases, PIN numbers, security codes, and access codes
IV. Exceptions
The University’s Chief Information Officer is authorized to grant exceptions to the University’s Information Technology Policies. Campus or institute CIOs/DTLs are authorized to grant exceptions to campus or institute processes and procedures.
SECTION 2. Reason for the Policy
This policy establishes the requirements for Data categorization for the University of Tennessee in support of System-wide Policy: IT0001 – General Statement on Information Technology Policy. All Users must familiarize themselves with System-wide Policy: IT0001.
SECTION 3. Scope and Application
This policy applies to all Users of IT Resources owned, operated, or provided by the University of Tennessee, including its campuses, institutes, and administration (University and/or campuses).
“Data” that is transmitted or stored on University IT Resources is the property of the University unless it is specifically identified in writing as the property of other parties. The University reserves the right to access the University’s Resources and any non-University owned Resources that are or have been connected to the University’s Resources or contain the University’s Data.
Throughout this policy, it is understood that Users will not use personally licensed internet services (e.g., Google Mail, Google storage) for University business or store Protected University Data on a personally owned System.
SECTION 4. Procedures
Each campus/institute will adopt procedures to implement the controls necessary to adhere to this policy.
SECTION 5. Definitions
See IT0001 – General Statement on Information Technology Policy for definitions of terms.
SECTION 6. Penalties/Disciplinary Action for Non-Compliance
Any violation of this policy may subject the User to discipline as a violation of one or more provisions of the general standard of conduct in the student handbook or to discipline under the Code of Conduct (HR0580 – Code of Conduct) in the Human Resources Policy and Procedures.
The University may temporarily or permanently remove access to its information technology Resources if an individual violates this policy.
SECTION 7. Responsible Official & Additional Contacts
Subject Matter |
Office Name |
Telephone Number |
Email/Web Address |
Policy Clarification and Interpretation |
System Chief Information Officer and System Chief Information Security Officer |
(865) 974-4810 or (865) 974-0637 | |
Policy Training |
System Chief Information Security Officer |
(865) 974-0637 |
[Text Wrapping
Break]
SECTION 8. Policy History Revision #:
SECTION 9. Related Policies/Guidance Documents
- University Policies
- IT0001 – General Statement on Information Technology Policy
- IT0002 – Acceptable Use of Information Technology Resources
- IT0003 – Information Technology Security Program Strategy
- IT0004 – Information Technology Risk Management
- IT0014 – Security Awareness Training Management
- IT0017 – Information Technology Incident Response Management
- IT0102 – Information Technology Asset Management
- IT0311 – Information Technology Data Access, Management, and Recovery
- IT0506 – Information Technology Account and Credential Management
- IT1318 – Information Technology Network Monitoring and Defense and Penetration
- IT1516 – Information Technology Service Provider Management Application Software Security Management
- IT4912 – Information Technology Secure Configuration Management
- IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense
- Center for Internet Security Critical Security Controls Navigator https://www.cisecurity.org/controls/cis-controls-navigator/