UCCS Guidance on Information Asset Classification

Background

University of Colorado system-wide policy statement  IT Security in University Operations, Continuity, and Contracting requires departments to maintain inventories of their information and IT resources.  The inventories are to include criticality and sensitivity classifications as defined in the accompanying procedure Information Classification. This allows the department, and the university as a whole, to better track information assets and determine IT related risk.

This document expands upon these policy statements with specific guidance, expanded definitions, and examples for classification of information and IT resources on the UCCS campus.

Classifications

The policy statements cover two categories of classification, criticality and sensitivity, each with multiple levels. Criticality relates to the importance of the information or resource to the function of the university’s or department’s mission. Sensitivity relates to any restrictions on access to the information.

Criticality

Criticality is divided into four levels (listed in ascending order of criticality): derived, non-essential, essential and life/safety. These levels could be applied to either information or resources, except derived  the definition of which makes the level inapplicable to resources.
Keep in mind that inter-departmental dependencies might impact the criticality of assets. For example, a department might consider data exports to other departments to be nonessential, whereas the departments receiving those exports might consider them essential. In this situation, the data exports should be considered essential as their loss has a significant impact on the ability of a portion of the university to function. Departments providing services or data to other departments should check criticality levels with the consuming departments.

Derived information is defined as:

Information that is derived from other systems and can be wholly recovered from those systems. The loss of Derived information and/or processing platforms would be an irritant but would not impact operations.

This is information that you may not keep redundant copies of, or only keep redundant copies for convenience. Much of the information not originally generated within the department falls into this category if the original source is available for new copies in the event of data loss. Examples of such data include:

  • A database of majors in an academic department that was generated from the Student Information System (SIS)
  • A copy of a file received from the original author, perhaps as an e-mail attachment (in this situation, the copy held by the author would not be derived, but additional copies would be)
  • Local copy of research data from another institution (assuming the original is still available)

Non-essential information is defined as:

Information that is Non-Essential to the mission of the business unit that can be restored after all Essential information is made available. The acceptable loss of Non-Essential information or an IT resource that processes Non-Essential information would typically be expressed in days.

Unlike derived, the only copy of this information may reside within the department, creating a need for backup and recovery plans. Loss of non-essential information or resources may cause minor disruption, but should not have a major impact on the primary functions of the department and the department could function for at least several days without it. Examples of such information and resources include:

  • Information accessed infrequently (e.g. an address list for a monthly newsletter or  low traffic web pages)
  • Documents not actively being accessed or worked on (e.g. budgets from prior years, syllabi for prior semesters, documents from non-current projects)
  • A desktop computing system (assuming other systems are available for use or the computer was not essential to the user’s work)

Essential information is defined as:

Information that is essential to the mission of the business unit that must be restored as quickly as possible. The loss of Essential information and/or its processing platforms would adversely affect operations and/or the University’s reputation. The acceptable loss or unavailability of Essential information or an IT resource that processes Essential information would typically be expressed in hours.

The differentiating factors between non-essential and essential information and resources are the impact of the loss and the necessary turn-around time for restoring availability of the asset. These assets are important to the function of the university as a whole or the function of a specific department. In the event of a disaster, the restoration of essential assets would be prioritized over the restoration of non-essential assets. Departments should endeavor to have reasonable levels of redundancy and other precautions to avoid loss of availability of essential assets. Examples of such information and resources include:

  • E-mail and e-mail servers
  • Networking components
  • Purchase transaction systems

Life/Safety information is defined as:

Information to support life and safety which must be available at all times, especially in a disaster. The loss or unavailability of Life/Safety information and/or IT resources could be catastrophic in terms of the University’s reputation, operations, and/or exposure to litigation. Systems that store, process, or communicate Life/Safety information are typically highly redundant and are the first systems to be recovered during a disaster. The acceptable loss or unavailability of Life/Safety information or an IT resource that processes Life/Safety information would typically be expressed in terms of immanent threat to human life.

Life and safety information and resources are those that, if unavailable, create a risk to the safety of students, employees or community members. These assets should have high levels of redundancy and protection as well as highly developed recovery processes. Examples of such information and resources include:

  • Telephone systems (for contacting emergency personnel)
  • Physical access control systems (ensuring the safety of residents and employees)
  • Patient records (ensuring proper medical care)

The criticality level associated with an asset should be recorded in a department’s information asset inventory. This allows for quick prioritization of assets during a disaster and is useful for decision making processes.

Sensitivity

Information sensitivity is divided into three levels based on the appropriate level of access restrictions (in ascending order of access restriction): public, restricted and private.

Public information is defined as:

Information to which the general public may be granted access.

Public information is both information that is directly published to the public, like a public website, and information that may not be directly published to the public, but is available through an open records request. Examples of public information include:

  • Public website
  • University policies
  • Information that is legally or contractually required to be public (e.g. some grants may require public release of information)

Restricted information is defined as:

Non-public information (other than private information) that may cause harm to the University or to individuals if inappropriately used or disclosed. Examples include: inventories identifying the location of hazardous materials, research data with commercial or societal value, individual works of intellectual property, and risk assessments that highlight potential weaknesses in the University’s utility/service infrastructure.

The classification of restricted’ is largely a catch-all for information that is not public, but is also not personally identifiable, which would result in a private’ classification.

Examples of restricted information include:

  • Information covered by NDA or other contractual obligation of privacy
  • Work papers not covered by CORA

Private information is defined as:

Personal information about an individual for which the individual can reasonably expect will not be made available to the public. This type of information includes personally identifiable information (PII  a category of personal information regulated by federal law), as well as other non-public personal information that would adversely impact an individual if inappropriately used or disclosed. In addition, the mishandling of private information may impact the University through financial and legal sanctions, loss of public confidence, and damage to University reputation. Examples of private information include Social Security numbers, bank account information, healthcare records, and educational records.

Since the disclosure of private information places individuals or the university at significant risk, strong measures should be taken to protect it from inappropriate access. Those working with private data should be educated on proper handling and security controls. Potential private information disclosures should be promptly reported to ensure quick and proper response. Disclosure of private information will likely require notification of the disclosure to impacted individuals.

In addition to a desire to protect students, employees and community members from unnecessary risk, UCCS is also bound by federal regulation in regards to student personal information by the Family Educational Rights and Privacy Act (FERPA).

For general FERPA information, see the FERPA website at the U.S. Department of Education at: http://www.ed.gov/policy/gen/guid/fpco/ferpa .  There is also a FERPA training course available to UCCS employees on the Blackboard web-based training system at http://blackboard.cuonline.edu/
Examples of private information include:

  • Student records that include FERPA protected information (e.g. ???? or information on students who have requested privacy restrictions)
  • Social security numbers
  • Credit card numbers or bank account details
  • Medical patient records