Responsible Office: Office of Cybersecurity
Last Review: 01/10/2022
Next Review: 01/10/2024
Contact: Chris Madeksho
At UTHSC, protecting our Institutional Information and IT Resources is critical to our mission of teaching, research, clinical care, and public service.
This Standard defines requirements for the appropriate classification of Institutional Information and IT Resources to ensure their confidentiality, integrity, and availability. It follows a risk-based approach to prescribe additional controls based on the need to achieve a specific level of protection for each category. UTHSC’s investment in security controls is commensurate with the level of need for protection or availability of the Institutional Information
This policy applies to any form of data, including paper documents and digital data stored on any type of media and the systems used to store, process, or transmit that data. It applies to all UTHSC employees, students, as well as to third-party agents authorized to access UTHSC data.
Availability – ensuring timely and reliable access to, and use of, information.
Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Information Technology (IT) Resources – The collection of data and technology that support the achievement of organizational goals. IT Resources include hardware, software, vendors, users, facilities, data systems, and data.
Integrity – guarding against improper information modification or destruction and includes ensuring information accountability, non-repudiation, and authenticity.
Security Categorization – The process of determining the security category for data or an information system. Security categorization methodologies are described in Federal Information Processing Standard (FIPS 199) and National Institute for Standards and Technology (NIST) SP 800-60. The security categorization helps identify the appropriate level of controls to be applied to the system or data.
Data/System Owner — The person who is ultimately responsible for the data and information being collected and maintained by their department or division, usually a member of senior management. The owner shall address the following:
- Review and inventory — Review and inventory IT resources within their areas of responsibility
- Assignment of data and or system classification labels — Assign classification based on the system or data type and potential impact level
Data/System Custodian – applying required security controls based on the classification, designated in GP-005-Data Security.
Data Users – the person who actually “touches” the information (enter, delete, read, process, etc.). Users are responsible for taking reasonable precautions against disclosure of data they have access to. Users should not grant access to data without proper authorizations from the Data Owner.
Campus Units – all units that collect and store data need to document their policies, procedures, and architectures that pertain to use, collection, and/or storage, regardless of the information format (electronic, paper, image, sound, etc.). This documentation should detail account creation and deletion, records retention and destruction, backup retention and destruction, and any other relevant procedures.
- Systems/Data need to be classified in each of the areas of Confidentiality (C), Integrity (I), and Availability (A).
- The process of data and system classification is accomplished by assigning a classification score of 0-3 in the areas of Confidentiality, Integrity, and Availability, with higher scores representing a higher level of sensitivity or criticality. It is acceptable if these are mixed, i.e. Confidentiality 1 (C-1), Integrity 3 (I-3), and Availability 2 (A-2). Each system/dataset will have different levels of security needs and controls based on risk and this classification process allows for the appropriate application of controls for each area. This process and examples are illustrated in Appendix A.
- While selecting classification levels, System/Data Owners should also assign an impact level in the areas of Confidentiality, Integrity, and Availability to quantify the potential impact of an adverse event in each of these areas. This process, along with examples and definitions, is illustrated in Appendix A.
- Data types should be identified and documented for each type of data that is transmitted, processed, or stored by the system or data set. These data types may have additional statutory requirements that must be assessed regarding security control implementation in addition to the baseline controls outlined in this standard. Data types that may need to be identified and associated with a system or data set are listed in Appendix B.
- The classification of data is independent of its format. For example, if personal health information is revealed in a video recording of a lecture, then that video file should be classified as C-3. If paper credit card receipts are stored, then they should be classified as C-3.
- Questions about classifying or handling the data should be directed to the Data Owner, your supervisor, the Office of Cybersecurity. The Office of Cybersecurity can assist departmental users in developing appropriate controls and processes to protect data based on the classification rating.
- Report the misuse or compromise of systems that handle, store, or propagate any classification ranking one or above IMMEDIATELY to the Office of Cybersecurity at firstname.lastname@example.org.
- Data is scattered everywhere; data is stored, processed, and transmitted across numerous systems, devices, and users. The classification remains with the data and required protections follow that data.
- Context matters: the classification and impact ratings of the system/data depends on factors such as how it used or accessed, who is using it, the volume of data, etc., and not solely on the information alone.
- The Institutional Review Board (IRB) may have additional policies or requirements regarding data associated with IRB approved studies that must be followed based on their compliance procedures.
- NIST 800-53, Security and Privacy Controls for Information Systems and Organizations
- NIST Glossary of Terms
- UTSA IT Policy IT0115 – Information and Computer System Classification
- Standards for Security Categorization of Federal Information and Information Systems (FIPS 199).
- GP-005-Data Security
GP-002 – Data & System Classification
Version: 7 // Effective: 01/09/2022
GP-003 – Expectation of Privacy
GP-004 – Acceptable Use of IT Resources
GP-005.01 – Disposal or Destruction of Electronic & Non-Electronic Media
GP-006 – Email
GP-007 – Asset Management
AT-001 – Training and Awareness
AU-001 – Auditing & Logging Accountability
AU-002 – Logging and System Activity Review
CP-001 – Business Continuity Planning
CP-002 – Information Security during a Disaster
CS-001 – Device Life Cycle Security
CS-002 – Personally Owned Device Security
GP-002 – Appendix A – Classification, Impact, and System Security Plan Assignment
GP-002 – Appendix B – Data that Must be labeled as “C-3”