Boise State University Data Classification Standards
This document is to assist Custodians, Users, Managers, and Information Service Providers in identifying what level of security is required to protect data for which they are responsible. It specifies the details of the data classification standards as referred to by policies:
- 8020 Server Administration
- 8030 Desktop, Laptop, and Tablet PC Computing Standards
- 8060 Information Privacy and Data Security
All university data must be classified into one of the three categories in order to determine how to implement appropriate security measures to protect it. Policy 8000 allows for limited personal use of university computing equipment. Data created and stored on a computer for personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university Minimum Security Standards.
There are specific laws and regulations that govern various types of data. Confidentiality, integrity, and availability is also a factor in determining the classification of data.
Level One Data
Data that must be protected as specifically guided by law (HIPAA, FERPA, Sarbanes-Oxley, Gramm-Leach-Bliley), industry regulation (PCI-DSS), government controls (CUI, FISMA), or university rules and regulations. Level One Data may also be university information that is not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements (Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements) or is personally identifiable information with 3 or more identifiers. Research data level is determined through the IRB process. Sensitive Human Subject Data, as defined by the US Department of Health and Human Services is considered Level One data, while all other human subject research data will be Level Two.
A data management plan is required for all systems using Level One data. Any device with Level One data must meet all of the requirements outlined in the Minimum Security Standards. In addition:
- Data is never transferred to another person outside of the defined system
- USB, External Media, Email, IM or Chat are never used for transferring data
- Shared network drives may be authorized by request to the Chief Information Security Officer
- Printed Level One data must be secured in a locked drawer and shredded after use
- The data management plan must define dates of data destruction or return
- The data management plan must also define dates of plan review or renewal
Contracts, sponsors and or providers that require additional security will be documented in a data management plan.
Note that Boise State’s Research environment for HIPAA and Covered Defense Information is cloud hosted. To do research with this data requires expenses be included in the grant proposal or through other means. Alternatively we can use the information technology infrastructure of the contracting organization.
Level Two Data
Data not otherwise identified as Level Three Data, but which are releasable in accordance with Freedom of information Act Requests to Examine or Copy Records. Such data must be appropriately protected to ensure a controlled and lawful release.
Level Three Data
Data not otherwise identified as Level One or Level Two Data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
Non-Compliance and Exceptions
A Request for Exception, along with a plan for risk assessment and management, can be submitted at Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.
Created: January 2016
Last Update: February 2022
Next Review: February 2023