The University Data Classification System has four levels ranging from Public to National Security Interest.
The Information Security Officers (ISOs) across the four campuses recognized the need to further differentiate security requirements for certain types of data. Within Data Classification Level 3 (DCL3) some data types such as protected health information (PHI), e-commerce, SSNs, etc. require more stringent security requirements that are not reasonable for other DCL3 data (ex: FERPA-protected student data).
Therefore Data Classification Level 4 (DCL4) has been redefined from National Security Interest to Highly Restricted. This change allows for a differentiation in security requirements of the data types listed above. Any data types requiring the most stringent security measures now fall within Level 4. While this will impact the security measures for DCL4 data, it does not decrease security requirements for DCL3 data.
What prompted the adjustments? What are the expected benefits from the change?
This change groups like data to ensure appropriate security measures. The ISOs reviewed the security measures and applicable statutory and regulatory requirements as well as industry best practices for meeting those requirements in the most effective and efficient manner. As a result DCL4 was redefined as Highly Restricted and now includes the data types requiring the most stringent security measures.
— Apr. 21, 2013