Rule 4-004C Data Classification and Encryption Rev. 1
- PURPOSE AND SCOPE
- The purpose of this Data Classification and Encryption Rule is to describe requirements for managing University electronic data and Information Assets.
- This Rule supports section C, titled Data Classification and Encryption, of the University of Utah Information Security Policy 4-004.
- DEFINITIONS
The definitions provided in Policy 4-004: University of Utah Information Security Policy, apply for purposes of this Rule, including the following: - Confidential - Any Information Asset which is classified as Restricted or Sensitive per the Data Classification and Encryption Rule.
- Electronic Resource – Any resource used for electronic communication, including but not limited to internet, Email, and social media.
- Information Asset – Data or knowledge stored in any electronic manner and recognized as having value for the purpose of enabling University to perform its business functions.
- Information System – An Application or group of Servers used for the electronic storage, processing, or transmitting of any University data or Information Asset
- IT Technicians – IT Technicians develop, administer, manage and monitor the IT Resources, Information Systems, and Electronic Resources that support the University’s IT infrastructure, are responsible for the security of the IT Resources, Information Systems, and Electronic Resources they manage, and assure that security-related activities are well documented and completed in a consistent and auditable manner.
- IT Resource – A Server, Workstation, Mobile Device, medical device, networking device, web camera or other monitoring device, or other device/resource that is a) owned by the University or used to conduct University business regardless of ownership; b) connected to the University's network; and/or c) that is creating, accessing, maintaining, or transmitting Information Assets and used for electronic storage, processing or transmitting of any data or information.
- Mobile Device – A portable, handheld electronic computing device that performs similar functions as a Workstation (e.g. iPhone, Android phone, Windows phone, Blackberry, Android tablet, iPad, Windows tablet, etc.).
- Restricted Data - Any data types classified as Restricted per the Data Classificiation and Encryption Rule.
- Sensitive Data - Any data type classified as Sensitive per the Data Classification and Encryption Rule.
- Server – Hardware and software, and/or Workstation used to provide information and/or services to multiple Users.
- Workstation - An electronic computing device, terminal, or any other device that performs as a general-purpose computer equipped with a microprocessor and designed to run commercial software (such as a word processing application or Internet browser) for an individual User (e.g. laptop, desktop computer, PC, Mac, etc.).
- RULE
- Data Classification
- University electronic data must be classified according to the Data Classification Model described in this Rule, and shall be continually evaluated to determine the appropriate classification. The Data Classification Model will be used to determine the appropriate data classification for data created, maintained, processed, or transmitted using IT Resources, Information Systems, and Electronic Resources across the University. Under this Model data will be classified in accordance with external regulatory, internal regulatory, and other contractual requirements. This data classification model in no way supersedes any state or federal government classifications.
- These data classifications apply to electronic data that the University owns or has custody of, wherever it may be stored. This may include data stored at data centers, data accessed by or stored remotely on IT Resources, and the University data that is stored with contracted third parties including Business Associates, cloud service providers, vendors, contractors, and temporary staff. This data classification methodology in no way supersedes any state or federal government classifications or other contractual classifications.
- When a specific set of data is classified as fitting within a combination of two or more of the data classifications, that data shall be managed according to the most restrictive/secure applicable data classification.
- Data Classification Model
Restricted Data
(High level of sensitivity)
Sensitive Data
(Moderate level of sensitivity)
Public Data
(Low level of sensitivity)
Legal
Requirements
Protection of data is required by federal or state law or regulation, or contractual obligation, and may be subject to data breach notification requirements
Protection of data is required by the Data Steward or other confidentiality agreement
Protection of data is at the discretion of the Data Steward
Access
Only authorized individuals with approved access, signed confidentiality agreements, and a business need to know
Only authorized individuals with approved access and a business need to know
University of Utah affiliates and general public within the confines of the law
Data Types
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Payment Card Industry (PCI)
- Financial information
- Donor information
- Intellectual Property
- designated Non-Public Academic Activity Information (DNPAAI)
- Employee information
- Student information
- Current litigation materials
- Contracts
- Physical building and utilities detail documentation
- University of Utah history
- Business contact data
- Company directory
- Maps
- Restricted Data Types
- Personally Identifiable Information (PII)
- PII is protected by federal and state laws and regulations, including federal regulations administered by the U.S. Department of Homeland Security (DHS), and is defined by DHS as "any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual." PII must be protected prior to release in accordance with the Utah Government Records Access Management Act (GRAMA) or other disclosures required by law.
- PII includes but is not limited to the following:
- Any of the following stand-alone elements:
- Full Social Security Number (SSN)
- Driver's license or State ID number
- Passport number
- Visa number
- Alien Registration Number
- Fingerprints or other biometric identifiers
- Full name in combination with:
- Mother's maiden name
- Date of birth
- Last 4 digits of SSN
- Citizenship or immigration status
- Ethnic or religious affiliation
- Any of the following stand-alone elements:
- Protected Health Information (PHI)
- PHI is protected by the federal Health Insurance Portability and Accountability Act
(HIPAA) and includes all individually identifiable information that relates to the
health or health care of an individual, and specifically includes but is not limited
to the following:
- Any PII field in combination with the following medical modifiers:
- Diagnosis or ICD code
- Treatment or CPT code
- Provider name or number
- DEA number
- Physician name
- Treatment date
- Patient notes
- Psychiatric notes
- Patient photos
- Radiology images
- Any PII field in combination with the following medical modifiers:
- PHI is protected by the federal Health Insurance Portability and Accountability Act
(HIPAA) and includes all individually identifiable information that relates to the
health or health care of an individual, and specifically includes but is not limited
to the following:
- Payment Card Industry (PCI) Data
- PCI Data is data subject to the Payment Card Industry Data Security Standards (PCI-DSS),
developed by the PCI Security Standards Council and adhered to by the University,
and includes but is not limited to the following:
- Cardholder Data:
- Primary Account Number (PAN)
- Cardholder name
- Service code
- Expiration date
- Sensitive Authentication Data:
- Full magnetic stripe data
- CAV2/CVC2/CVV2/CID
- PIN/PINBlock
- Cardholder Data:
- PCI Data is data subject to the Payment Card Industry Data Security Standards (PCI-DSS),
developed by the PCI Security Standards Council and adhered to by the University,
and includes but is not limited to the following:
- Financial Information
- Financial information is governed by the Financial Accounting Standards Board (FASB)
and includes monetary facts about the University of Utah and/or other parties who
participate in financial transactions with the University that are used in billing,
credit assessment, loan transactions, and other similar activities, that must be protected
prior to release in accordance with GRAMA or other disclosures required by law. Financial
Information includes but is not limited to:
- Taxpayer identification number
- Credit ratings
- Account numbers
- Account balances
- Financial information is governed by the Financial Accounting Standards Board (FASB)
and includes monetary facts about the University of Utah and/or other parties who
participate in financial transactions with the University that are used in billing,
credit assessment, loan transactions, and other similar activities, that must be protected
prior to release in accordance with GRAMA or other disclosures required by law. Financial
Information includes but is not limited to:
- Donor Information
- Donor Information is information about financial asset donations that has a stated
purpose at the bequest of the donor, and includes but is not limited to:
- Donor's full name
- Donor contact information
- Securities donated
- Real estate donations
- Planned giving arrangements
- Donor Information is information about financial asset donations that has a stated
purpose at the bequest of the donor, and includes but is not limited to:
- Personally Identifiable Information (PII)
- Sensitive Data Types
- Intellectual Property
- Intellectual Property is electronic data that supports Inventions, as defined in University Policy 7-002.
- Designated Non-Public Academic Activity Information (DNPAAI)
- Designated Non-Public Academic Activity Information (DNPAAI) is information regarding
academic activities of an individual member of the University community (including
faculty, non-faculty academic personnel, staff, or student), which the individual
has, through approved procedures, specifically designated information that is not
intended to be made available to the general public. Such information may be reported
to University administrators for purposes of evaluation of the individual's performance,
and shared with limited sets of other persons for purposes of furthering the academic
activity, but in accord with the requirements and limitations of Policy [####] is
considered as sensitive information, not intended to be made accessible to the general
public.
- Types of information which an individual may choose to so designate, under the terms
of Policy [####] and associated Regulations, may include, for example:
- Academic research or teaching activities involving use of live animal research subjects, or other controversial matters,
- Academic research or teaching activities involving control of hazardous materials, or technology which presents a high risk of harm to persons or property
- Academic service activities involving affiliation with an organization which, if made known to the general public may result in risk of bodily or other harm to the individual.
- As more fully described in Policy [####] and associated Regulations, an individual wishing to designate specified information as intended to be non-public does so through the appropriate University procedures applicable for periodic reporting of academic activity information. For example, a faculty member submitting information to the University administration through the Faculty Activity Report (FAR) system designates for each submitted set of information whether it is to be made accessible to the general public as part of the Faculty Profile published by the University regarding that individual, or intended to not be made accessible
- {Drafting note: it will explained in the companion Policy [####], to be developed in a later phase of this project, that even for information which an individual has designated as non-public, the University's ability and obligation to limit public access to that information is constrained by federal and state laws which allow certain types of information to be obtained on request-- as for example the Utah Government Records Access Management Act}.
- Types of information which an individual may choose to so designate, under the terms
of Policy [####] and associated Regulations, may include, for example:
- Designated Non-Public Academic Activity Information (DNPAAI) is information regarding
academic activities of an individual member of the University community (including
faculty, non-faculty academic personnel, staff, or student), which the individual
has, through approved procedures, specifically designated information that is not
intended to be made available to the general public. Such information may be reported
to University administrators for purposes of evaluation of the individual's performance,
and shared with limited sets of other persons for purposes of furthering the academic
activity, but in accord with the requirements and limitations of Policy [####] is
considered as sensitive information, not intended to be made accessible to the general
public.
- Employee Information
- Employee information is managed by Human Resources, protected by state or federal laws and regulations, including regulations of the United States Department of Labor, and is data directly associated with an employee or applicant for employment, which must be protected prior to release in accordance with the Government Records Access Management Act (GRAMA). Employee information includes but is not limited to the following:
- Contents of Employment applications, other than Restricted Personally Identifiable Information (PII)
- Personnel files
- Performance evaluations
- Benefits information
- Salary
- Student Information
- Student information is protected by the federal Family Educational Rights and Privacy
Act (FERPA), and includes records, files, documents, and other materials that contain
information directly related to a student as a part of the student's Education Record
or Treatment Record, maintained by the University of Utah or by a party acting for
the University of Utah. Student information includes but is not limited to the following:
- Grades
- Class lists
- Student course schedules
- Disciplinary records
- Student financial records
- Payroll records for student employees (e.g. work study, assistantships, resident assistants)
- Student information is protected by the federal Family Educational Rights and Privacy
Act (FERPA), and includes records, files, documents, and other materials that contain
information directly related to a student as a part of the student's Education Record
or Treatment Record, maintained by the University of Utah or by a party acting for
the University of Utah. Student information includes but is not limited to the following:
- Current Litigation Materials
- Current litigation materials are electronically stored information that pertain to
a current litigation hold implemented by the University's Office of General Counsel.
These include but are limited to:
- Word, Excel, PowerPoint documents
- PDF documents
- Calendar items
- Electronic voice mail
- USB drives
- Current litigation materials are electronically stored information that pertain to
a current litigation hold implemented by the University's Office of General Counsel.
These include but are limited to:
- Contracts
- Electronic copies of agreements, to which the University is a party, creating obligations enforceable by law.
- Physical building and utilities detail documentation, including images {explanation of Building Info still to be developed}
- Data Encryption
- All data encryption decisions must be formally documented, and shall be considered in the context of the data at rest and data in motion. IT professionals must work in cooperation with the Information Security Office to determine encryption requirements, as these requirements may change due to the University's technology equipment, an emerging threat, and/or in response to regulatory requirements.
- Data At Rest Requirements
- For University data stored outside the University:
- Restricted data: encryption is required in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
- Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
- Public data: encryption is encouraged and should be in accordance with the Data Steward's requirements.
- For University data stored within the University:
- Restricted data on all Mobile Devices and laptops must be encrypted in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
- Restricted data on Servers and Information Systems will be encrypted as directed by risk analysis in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
- Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
- Public data: encryption is encouraged and should be in accordance with the Data Steward's requirements.
- For University data stored outside the University:
- Data In Motion Requirements:
- For University data transmitted outside of University's network:
- Restricted data: encryption is required in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance
- Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
- Public Data: encryption is optional and should be in accordance with the Data Steward's requirements.
- For University data transmitted within the University network:
- Restricted data: encryption is recommended in a manner that supports the burden of proof in accordance with applicable state or federal safe harbor guidance.
- Sensitive data: encryption is strongly recommended and should be in accordance with the Data Steward's requirements.
- Public data: encryption is encouraged and should be in accordance with the Data Steward's requirements.
- For University data transmitted outside of University's network:
- Information Security Program Data Retention
- Information Security Program Documentation
- The Chief Information Security Officer shall be responsible for maintaining all information security program documentation. This documentation shall be made available for all University workforce members and Users.
- The Chief Information Security Officer shall be responsible for ensuring that any action, activity, or designation required by the information security program documentation is maintained in paper and/or electronic form. All such documentation shall be maintained as specifically required.
- Information Security Program Documentation Retention
- All information security program documentation, and all revisions of information security program documentation, shall be retained for six (6) years from the date of its implementation.
- No information security program documentation shall be destroyed before consultation with the Office of General Counsel, Chief Compliance Officer, and the Chief Information Security Officer.
- Information Security Program Documentation
- RULES, PROCEDURES, GUIDELINES, FORMS, and OTHER RELATED RESOURCES
- Rules
- Procedures
- Guidelines
- Forms
- Other Related Resources
- REFERENCES
- 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
- Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
- Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
- ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
- NIST 800 Series, Federal Information Security Standards
- Policy 3-070: Payment Card Acceptance
- Policy 4-001: University Institutional Data Management
- Policy 4-003: World Wide Web Resources Policy
- Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
- Policy 6-400: Code of Student Rights and Responsibilities
- Policy 6-316: Code of Faculty Rights and Responsibilities
- Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
- CONTACTS
- The designated contact Officials for this Policy are:
- Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
- Policy Officer; Chief Information Officer, 801-581-3100
- These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
- A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases.... "
- "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library... .[and] bears the responsibility for determining -requirements of particular Policies... ." University Rule 1-001-III-B & E
- The designated contact Officials for this Policy are:
- HISTORY
- Current version: Revision 1, effective date: April 4, 2016
- Approved by Academic Senate: May 4, 2015
- Approved by Board of Trustees: May 12, 2015
- Background information for this version
- Current version: Revision 1, effective date: April 4, 2016
Date: April 4, 2016