Purpose
This document is to assist university personnel in identifying what level of security is required to protect data for which they are responsible. It specifies the details of the data classification standards as referred to by policies:
- 8020 Server Administration
- 8030 Desktop, Laptop, and Tablet PC Computing Standards
- 8060 Information Privacy and Data Security
Scope
All university data must be classified into one of the four categories in order to determine how to implement appropriate security measures to protect it. Policy 8000 allows for limited personal use of university computing equipment. Data created and stored on a university computer for personal use is not necessarily considered university data; but university data stored on non-university IT resources must still be verifiably protected according to the respective university Minimum Security Standards.
Standards
There are specific laws and regulations that govern various types of data. Confidentiality, integrity, and availability is also a factor in determining the classification of data.
Restricted data
Restricted Data is sensitive data intended for limited, specific use and must be protected as specifically guided by law (e.g., HIPAA, FERPA, Sarbanes-Oxley, Gramm-Leach-Bliley), industry regulation (PCI-DSS), government controls (CUI, ECI, FISMA, CDI), Non-Disclosure Agreements (NDA) in the research and creative activity space, or university rules and regulations. This is the most sensitive data of the university and must be safeguarded in accordance with its individual requirements (i.e., some Restricted data types require more rigorous controls than others).
Confidential data
Confidential data is intended for limited university business use only, with access restricted to personnel with a legitimate need, even though that need may constitute a small group (e.g., only designated security personnel) or a large group (e.g., all student advisors or all faculty). This classification also includes data that is not subject to public disclosure and that the university is required to keep confidential per legal agreements, policies, third party agreements such as a vendor contracts and MOUs.
Boise State proprietary institutional information or personally identifiable information collected and retained by Boise State about any member or affiliate of the Boise State community that requires a Freedom of Information Request to disclose.
Internal data
Internal data is information used for official university business and must be safeguarded due to proprietary, ethical, or privacy considerations and protected from unauthorized Access, modification, transmission, storage, or other use. This data is not intended to be shared with the public; however, it is generally releasable in accordance with the Idaho Public Records Act. This data includes potentially sensitive information and applicable privacy laws will be considered before release of data.
Public data
Public information not classified otherwise as Restricted, Confidential, or Internal and is not required to be secured.
Data management plan
A data management plan is required for all systems using Restricted or Confidential data. Any device with Restricted or Confidential data must meet all of the requirements outlined in the Minimum Security Standards and Data Use Guidelines. In addition:
- Data is never transferred to another person outside of the defined system
- USB, External Media, Email, IM or Chat are never used for transferring data
- Shared network drives may be authorized by request to the Chief Information Security Officer
- Printed Level data of this classification must be secured in a locked drawer and shredded after use
- The data management plan must define dates of data destruction or return
- The data management plan must also define dates of plan review or renewal
- Contracts, sponsors and or providers that require additional security will be documented in a data management plan.
Note that Boise State’s Research environment for HIPAA and Covered Defense Information is cloud-hosted. To do research with this data requires expenses be included in the grant proposal or through other means. Alternatively we can use the information technology infrastructure of the contracting organization.
Non-compliance and exceptions
A Request for Exception, along with a plan for risk assessment and management, can be submitted via ServiceNow. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.
Updates
Created: January 2016
Last Update: February 2026
Next Review: February 2027