Skip to main content

Boise State University Data Classification Standards

Updated January 2016

Purpose

The purpose of this standard is to assist Custodians, Users, Managers, and Information Service Providers, (as defined in Boise State Policy 8060 “Information Privacy and Data Security”) in identifying what level of security is required to protect data for which they are responsible. The audience for this document is all faculty, staff, student employees, contractors, and vendors working with Boise State University data.

The information covered in this standard includes, but is not limited to, information that is stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

This standard divides data into three levels that correlate to associated risk levels:

Level One data or Level-1 (High) risk

  • private information that must be protected as required by law or industry regulation

Level TWO data or level-2 (Moderate) Risk

  • protected information that may be made available with Freedom of information Act Requests to Examine or Copy Records

Level Three or level-3 (low) Risk

  • Public Information

Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about this standard should be addressed to the Chief Information Security Officer at 426-5701.

I.  Data Classification Standard

There are specific laws and regulations that govern some kinds of data. Additionally, there are situations where you must consider whether the confidentiality, integrity, or availability of the data is a factor. Finally, consider that you may be storing information on more than one system, such as moving data between computers by CD or flash drive. If you rate only your primary computer as Level One, but not your secondary computer or the transfer media, the secondary computer or storage media could put data at risk if it isn’t well protected.

Level One Data

University data protected specifically by federal or state law (HIPAA; FERPA; Sarbanes-Oxley; Gramm-Leach-Bliley), industry regulation (PCI-DSS), Boise State University rules and regulations (specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.)

Note: Level One Data must be protected at all times and must not be shared through unencrypted mediums such as email, instant messaging or chat.

Follow this link for Level One Data Classification Examples
Follow this link to learn How to Classify Data

Examples of How Data Can Be Lost

  • Laptop or other data storage system stolen from car, lab, or office.
  • Research Assistant accesses system after leaving research project because passwords aren’t changed.
  • Unauthorized visitor walks into unlocked lab or office and steals equipment or accesses unsecured computer.
  • Unsecured application on a networked computer is hacked and data stolen.

Impact of Level One Data Loss

  • Long-term loss of research funding from granting agencies.
  • Long-term loss of reputation. Published research called into question because data is unreliable.
  • Unauthorized tampering of research data.
  • Increased regulatory requirements.
  • Long-term loss of critical campus or departmental service.
  • Individuals put at risk for identity theft.

Protect Level One data by applying the appropriate Minimum Security Standards.

Category Two Data

University data not otherwise identified as Category Three data, but which are releasable in accordance with Freedom of information Act Requests to Examine or Copy Records (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

Examples of How Data Can Be Lost

In addition to the scenarios described for Level One Data:

  • Staff member wanting to be helpful releases information they are not authorized to share.

Impact of Category Two Data Loss

  • Short-term loss of reputation.
  • Short-term loss of research funding.
  • Short-term loss of critical departmental service.
  • Unauthorized tampering of research data.
  • Individuals put at risk for identity theft.

Protect your Level Two data by applying the appropriate Minimum Security Standards.

Level Three Data

University data not otherwise identified as Level One or Level Two data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.

Examples of How Data Can Be Lost

  • See the above scenarios.

Impact of Category One Data Loss

  • Loss of use of personal workstation or laptop.
  • Loss of personal data with no impact to the university.

Protect Level Three data by applying the appropriate Minimum Security Standards

II. Scope

All university data must be classified into one of the three categories in order to determine how to implement appropriate security measures to protect it. This standard emphasizes steps that you can take to protect data. For example, Category Three information should not be left unattended in conference rooms or offices. Systems storing or sharing data will be configured consistent with the university Minimum Security Standards for Systems. Level One data has more stringent requirements than Levels Two and Three. However, all require some protective measures to mitigate risk.

Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.

III.  Responsibility

All users of Boise State IT resources are responsible for compliance with this standard.

IV.  Procedures

A.    Non-Compliance and Exceptions:  Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

Related Boise State Policies, Procedures, Best Practices and Applicable Laws

Data Classification Examples

How to Classify Data

Boise State Information Privacy and Security Policy

Boise State Information Resource Use Policy

Minimum Security Standards for Systems

Portions of this document are adapted with permission from the University of Texas at Austin, Stanford University, and the SANS Institute Security Policy Project.

 

Back To Top