Skip to content

Rule 4-004C Data Classification and Encryption Rev. 1

  1. PURPOSE AND SCOPE
    1. The purpose of this Data Classification and Encryption Rule is to describe requirements for managing University electronic data and Information Assets.
    2. This Rule supports section C, titled Data Classification and Encryption, of the University of Utah Information Security Policy 4-004.
  2. DEFINITIONS
    The definitions provided in Policy 4-004: University of Utah Information Security Policy, apply for purposes of this Rule, including the following:
    1. Confidential - Any Information Asset which is classified as Restricted or Sensitive per the Data Classification and Encryption Rule.
    2. Electronic Resource – Any resource used for electronic communication, including but not limited to internet, Email, and social media.
    3. Information Asset – Data or knowledge stored in any electronic manner and recognized as having value for the purpose of enabling University to perform its business functions.
    4. Information System – An Application or group of Servers used for the electronic storage, processing, or transmitting of any University data or Information Asset
    5. IT Technicians – IT Technicians develop, administer, manage and monitor the IT Resources, Information Systems, and Electronic Resources that support the University’s IT infrastructure, are responsible for the security of the IT Resources, Information Systems, and Electronic Resources they manage, and assure that security-related activities are well documented and completed in a consistent and auditable manner.
    6. IT Resource – A Server, Workstation, Mobile Device, medical device, networking device, web camera or other monitoring device, or other device/resource that is a) owned by the University or used to conduct University business regardless of ownership; b) connected to the University's network; and/or c) that is creating, accessing, maintaining, or transmitting Information Assets and used for electronic storage, processing or transmitting of any data or information.
    7. Mobile Device – A portable, handheld electronic computing device that performs similar functions as a Workstation (e.g. iPhone, Android phone, Windows phone, Blackberry, Android tablet, iPad, Windows tablet, etc.).
    8. Restricted Data - Any data types classified as Restricted per the Data Classificiation and Encryption Rule.
    9. Sensitive Data - Any data type classified as Sensitive per the Data Classification and Encryption Rule.
    10. Server – Hardware and software, and/or Workstation used to provide information and/or services to multiple Users.
    11. Workstation - An electronic computing device, terminal, or any other device that performs as a general-purpose computer equipped with a microprocessor and designed to run commercial software (such as a word processing application or Internet browser) for an individual User (e.g. laptop, desktop computer, PC, Mac, etc.).
  3. RULE
    1. Data Classification
      1. University electronic data must be classified according to the Data Classification Model described in this Rule, and shall be continually evaluated to determine the appropriate classification. The Data Classification Model will be used to determine the appropriate data classification for data created, maintained, processed, or transmitted using IT Resources, Information Systems, and Electronic Resources across the University. Under this Model data will be classified in accordance with external regulatory, internal regulatory, and other contractual requirements. This data classification model in no way supersedes any state or federal government classifications.
      2. These data classifications apply to electronic data that the University owns or has custody of, wherever it may be stored. This may include data stored at data centers, data accessed by or stored remotely on IT Resources, and the University data that is stored with contracted third parties including Business Associates, cloud service providers, vendors, contractors, and temporary staff. This data classification methodology in no way supersedes any state or federal government classifications or other contractual classifications.
      3. When a specific set of data is classified as fitting within a combination of two or more of the data classifications, that data shall be managed according to the most restrictive/secure applicable data classification.
    2. Data Classification Model
       

      Restricted Data

      (High level of sensitivity)

      Sensitive Data

      (Moderate level of sensitivity)

      Public Data

      (Low level of sensitivity)

      Legal

      Requirements

      Protection of data is required by federal or state law or regulation, or contractual obligation, and may be subject to data breach notification requirements

      Protection of data is required by the Data Steward or other confidentiality agreement

      Protection of data is at the discretion of the Data Steward

      Access

      Only authorized individuals with approved access, signed confidentiality agreements, and a business need to know

      Only authorized individuals with approved access and a business need to know

      University of Utah affiliates and general public within the confines of the law

      Data Types

      • Personally Identifiable Information (PII)
      • Protected Health Information (PHI)
      • Payment Card Industry (PCI)
      • Financial information
      • Donor information
      • Intellectual Property
      • designated Non-Public Academic Activity Information (DNPAAI)
      • Employee information
      • Student information
      • Current litigation materials
      • Contracts
      • Physical building and utilities detail documentation
      • University of Utah history
      • Business contact data
      • Company directory
      • Maps
    3. Restricted Data Types
      1. Personally Identifiable Information (PII)
        1. PII is protected by federal and state laws and regulations, including federal regulations administered by the U.S. Department of Homeland Security (DHS), and is defined by DHS as "any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual." PII must be protected prior to release in accordance with the Utah Government Records Access Management Act (GRAMA) or other disclosures required by law.
        2. PII includes but is not limited to the following:
          1. Any of the following stand-alone elements:
            1. Full Social Security Number (SSN)
            2. Driver's license or State ID number
            3. Passport number
            4. Visa number
            5. Alien Registration Number
            6. Fingerprints or other biometric identifiers
          2. Full name in combination with:
            1. Mother's maiden name
            2. Date of birth
            3. Last 4 digits of SSN
            4. Citizenship or immigration status
            5. Ethnic or religious affiliation
      2. Protected Health Information (PHI)
        1. PHI is protected by the federal Health Insurance Portability and Accountability Act (HIPAA) and includes all individually identifiable information that relates to the health or health care of an individual, and specifically includes but is not limited to the following:
          1. Any PII field in combination with the following medical modifiers:
            1. Diagnosis or ICD code
            2. Treatment or CPT code
            3. Provider name or number
            4. DEA number
            5. Physician name
            6. Treatment date
            7. Patient notes
            8. Psychiatric notes
            9. Patient photos
            10. Radiology images
      3. Payment Card Industry (PCI) Data
        1. PCI Data is data subject to the Payment Card Industry Data Security Standards (PCI-DSS), developed by the PCI Security Standards Council and adhered to by the University, and includes but is not limited to the following:
          1. Cardholder Data:
            1. Primary Account Number (PAN)
            2. Cardholder name
            3. Service code
            4. Expiration date
          2. Sensitive Authentication Data:
            1. Full magnetic stripe data
            2. CAV2/CVC2/CVV2/CID
            3. PIN/PINBlock
      4. Financial Information
        1. Financial information is governed by the Financial Accounting Standards Board (FASB) and includes monetary facts about the University of Utah and/or other parties who participate in financial transactions with the University that are used in billing, credit assessment, loan transactions, and other similar activities, that must be protected prior to release in accordance with GRAMA or other disclosures required by law.  Financial Information includes but is not limited to:
          1. Taxpayer identification number
          2. Credit ratings
          3. Account numbers
          4. Account balances
      5. Donor Information
        1. Donor Information is information about financial asset donations that has a stated purpose at the bequest of the donor, and includes but is not limited to:
          1. Donor's full name
          2. Donor contact information
          3. Securities donated
          4. Real estate donations
          5. Planned giving arrangements
    4. Sensitive Data Types
      1. Intellectual Property
        1. Intellectual Property is electronic data that supports Inventions, as defined in University Policy 7-002.
      2. Designated Non-Public Academic Activity Information (DNPAAI)
        1. Designated Non-Public Academic Activity Information (DNPAAI) is information regarding academic activities of an individual member of the University community (including faculty, non-faculty academic personnel, staff, or student), which the individual has, through approved procedures, specifically designated information that is not intended to be made available to the general public. Such information may be reported to University administrators for purposes of evaluation of the individual's performance, and shared with limited sets of other persons for purposes of furthering the academic activity, but in accord with the requirements and limitations of Policy [####] is considered as sensitive information, not intended to be made accessible to the general public.
          1. Types of information which an individual may choose to so designate, under the terms of Policy [####] and associated Regulations, may include, for example:
            1. Academic research or teaching activities involving use of live animal research subjects, or other controversial matters,
            2. Academic research or teaching activities involving control of hazardous materials, or technology which presents a high risk of harm to persons or property
            3. Academic service activities involving affiliation with an organization which, if made known to the general public may result in risk of bodily or other harm to the individual.
          2. As more fully described in Policy [####] and associated Regulations, an individual wishing to designate specified information as intended to be non-public does so through the appropriate University procedures applicable for periodic reporting of academic activity information. For example, a faculty member submitting information to the University administration through the Faculty Activity Report (FAR) system designates for each submitted set of information whether it is to be made accessible to the general public as part of the Faculty Profile published by the University regarding that individual, or intended to not be made accessible
            1. {Drafting note: it will explained in the companion Policy [####], to be developed in a later phase of this project, that even for information which an individual has designated as non-public, the University's ability and obligation to limit public access to that information is constrained by federal and state laws which allow certain types of information to be obtained on request-- as for example the Utah Government Records Access Management Act}.
      3. Employee Information
        1. Employee information is managed by Human Resources, protected by state or federal laws and regulations, including regulations of the United States Department of Labor, and is data directly associated with an employee or applicant for employment, which must be protected prior to release in accordance with the Government Records Access Management Act (GRAMA). Employee information includes but is not limited to the following:
          1. Contents of Employment applications, other than Restricted Personally Identifiable Information (PII)
          2. Personnel files
          3. Performance evaluations
          4. Benefits information
          5. Salary
      4. Student Information
        1. Student information is protected by the federal Family Educational Rights and Privacy Act (FERPA), and includes records, files, documents, and other materials that contain information directly related to a student as a part of the student's Education Record or Treatment Record, maintained by the University of Utah or by a party acting for the University of Utah. Student information includes but is not limited to the following:
          1.  Grades
          2. Class lists
          3. Student course schedules
          4. Disciplinary records
          5. Student financial records
          6. Payroll records for student employees (e.g. work study, assistantships, resident assistants)
      5. Current Litigation Materials
        1. Current litigation materials are electronically stored information that pertain to a current litigation hold implemented by the University's Office of General Counsel. These include but are limited to:
          1. Word, Excel, PowerPoint documents
          2. PDF documents
          3. Email
          4. Calendar items
          5. Electronic voice mail
          6. USB drives
      6. Contracts
        1. Electronic copies of agreements, to which the University is a party, creating obligations enforceable by law.
      7. Physical building and utilities detail documentation, including images {explanation  of Building Info still to be developed}
    5. Data Encryption
      1. All data encryption decisions must be formally documented, and shall be considered in the context of the data at rest and data in motion. IT professionals must work in cooperation with the Information Security Office to determine encryption requirements, as these requirements may change due to the University's technology equipment, an emerging threat, and/or in response to regulatory requirements.
      1. Data At Rest Requirements
        1. For University data stored outside the University:
          1. Restricted data: encryption is required in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
          2. Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
          3. Public data: encryption is encouraged and should be in accordance with the Data Steward's requirements.
        2. For University data stored within the University:
          1. Restricted data on all Mobile Devices and laptops must be encrypted in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
          2. Restricted data on Servers and Information Systems will be encrypted as directed by risk analysis in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
          3. Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
          4. Public data: encryption is encouraged and should be in accordance with the Data Steward's requirements.
      2. Data In Motion Requirements:
        1. For University data transmitted outside of University's network:
          1. Restricted data: encryption is required in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance
          2. Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
          3. Public Data: encryption is optional and should be in accordance with the Data Steward's requirements.
        2. For University data transmitted within the University network:
          1. Restricted data: encryption is recommended in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
          2. Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
          3. Public data: encryption is encouraged and should be in accordance with the Data Steward's requirements.
    6. Information Security Program Data Retention
      1. Information Security Program Documentation
        1. The Chief Information Security Officer shall be responsible for maintaining all information security program documentation. This documentation shall be made available for all University workforce members and Users.
        2. The Chief Information Security Officer shall be responsible for ensuring that any action, activity, or designation required by the information security program documentation is maintained in paper and/or electronic form. All such documentation shall be maintained as specifically required.
      2. Information Security Program Documentation Retention
        1. All information security program documentation, and all revisions of information security program documentation, shall be retained for six (6) years from the date of its implementation.
        2. No information security program documentation shall be destroyed before consultation with the Office of General Counsel, Chief Compliance Officer, and the Chief Information Security Officer.
      [Note: Parts IV-VII of this Rule (and all other University Regulations) are Regulations Resource Information--the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
  4. RULES, PROCEDURES, GUIDELINES, FORMS, and OTHER RELATED RESOURCES
    1. Rules
    2. Procedures
    3. Guidelines
    4. Forms
    5. Other Related Resources
  5. REFERENCES
    1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
    2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
    3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
    4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
    5. NIST 800 Series, Federal Information Security Standards
    6. Policy 3-070: Payment Card Acceptance
    7. Policy 4-001: University Institutional Data Management
    8. Policy 4-003: World Wide Web Resources Policy
    9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
    10. Policy 6-400: Code of Student Rights and Responsibilities
    11. Policy 6-316: Code of Faculty Rights and Responsibilities
    12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
    13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
  6. CONTACTS
    1. The designated contact Officials for this Policy are:
      1. Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
      2. Policy Officer; Chief Information Officer, 801-581-3100
    2. These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
    3. A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases.... "
    4. "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library... .[and] bears the responsibility for determining -requirements of particular Policies... ." University Rule 1-001-III-B & E
  7. HISTORY
    1. Current version: Revision 1, effective date: April 4, 2016
      1. Approved by Academic Senate: May 4, 2015
      2. Approved by Board of Trustees: May 12, 2015
      3. Background information for this version

Rule: 4-004C Rev: 1
Date: April 4, 2016
Last Updated: 8/4/21