Original Issuance Date: September 14, 2016
Last Revision Date: January 9, 2019
1. Policy Purpose
The purpose of this policy is to establish a method of categorizing data assets based on risk to the University of Wisconsin System and to establish specific minimum standards for data handling across the UW System. This policy also ensures that the UW System manages data in a consistent and appropriate manner.
2. Responsible UW System Officer
UW System Associate Vice President (AVP) for Information Security
This policy applies to all University of Wisconsin System data. This policy should be incorporated into contracts with third party providers.
The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Security: Information Technology. The UW System is committed to a secure information technology environment in support of its mission. In order to establish the safeguards required for particular types of data, it is necessary to determine the level of risk associated with the data. Data classification assigns such levels and determines the extent to which technical, administrative, and physical controls should be applied to protect the data from theft, alteration, loss of integrity, and/or misuse. Proper data security handling must be implemented commensurate with the sensitivity of the data and the risk to the UW System. This policy also seeks to ensure strong and consistent data handling standards throughout the UW System. This ensures appropriate protection from threats to the integrity, confidentiality, and availability of the UW System’s data.
Data Steward: An individual who has direct responsibility to ensure that a data domain is classified appropriately. The data steward collaborates with institutional Security, Privacy and Data Officers.
Institutions: All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.
6. Policy Statement
A. Data Classification
Data may be classified as:
i. High Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may:
- cause personal or institutional financial loss or the unauthorized release of which would be a violation of a statute, act or law;
- constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting data;
- cause significant reputational harm to the University; or,
- require the UW System to self-report to the government and/or provide public notice if the data is inappropriately accessed.
There may be data which, if there were unauthorized disclosure, alteration, loss, or destruction, may cause effects that are catastrophic to human life. This type of data shall be protected as High Risk data and additional protections should be evaluated on a case-by-case basis.
ii. Moderate Risk: Any data if released to unauthorized individuals could have a mildly adverse impact on the institution or UW System mission, safety, finances, or reputation. Data not specifically identified in another level is categorized as a “Moderate Risk”.
iii. Low Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction would have no adverse impact on the mission, safety, finances, or reputation of the institution or UW System. Generally, public information is classified as low risk.
The data steward(s) of each domain shall evaluate and classify data for which he or she is responsible according to the definitions in this policy and the procedures specified in UW System Administrative Procedure 1031.A, Information Security: Data Classification. A data steward may classify specific data elements at a higher level than identified in the procedure. A data steward may not reclassify to a lower level any data that is specifically classified in the procedure.
The required data classification procedures to implement this section are specified in UW System Administrative Procedure 1031.A, Information Security: Data Classification.
B. Data Protection
All information shall be kept in a manner consistent with appropriate controls, and procedures commensurate with its data classification the protections outlined in UW System Administrative Procedure 1031.B, Information Security: Data Protections. UW System Administrative Procedure 1031.B, Information Security: Data Protections.
Information shall also be maintained according to appropriate UW System record retention policies, applicable state and federal laws, and State of Wisconsin policies.
FERPA data may contain elements from multiple classifications (i.e. data domains). The composition of these data domains may result in either a high or moderate risk data classification. In these cases, protections prescribed by federal law will take precedence.
7. Related Documents
Regent Policy Document 25-5, Information Security
UW System Administrative Policy 1030, Information Security: Authentication
UW System Administrative Procedure 1030.A, Information Security: Authentication
UW System Administrative Procedure 1031.A, Information Security: Data Classifications
UW System Administrative Procedure 1031.B, Information Security: Data Protections
8. Policy History
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review