A newer version of this procedure was approved by Vice President Cramer on December 9, 2019. It will become effective on June 7, 2020. Please see SYS 1031.A_Approved_Effective June 7, 2020 pdf to familiarize yourself with the new policy. Further communication will occur prior to the effective date. The version of the procedure below is the prior version that will be effective until June 7, 2020.

Original Issuance Date: September 14, 2016
Last Revision Date: January 9, 2019

1. Purpose of Procedures

These procedures outline a method to classify data according to risk to the University of Wisconsin System and assign responsibilities and roles that are applicable to data.

2. Responsible UW System Officer

UW System Associate Vice President (AVP) for Information Security

3. Definitions

High Risk: Any data where the unauthorized disclosure, alteration, loss, or destruction may;

  • cause personal or institutional financial loss or the unauthorized release of which would be a violation of a statute, act or law;
  • constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting data;
  • cause significant reputational harm to the University; or
  • require the University of Wisconsin System to self-report to the government and/or provide public notice if the data is inappropriately accessed.

Moderate Risk: Any data if released to unauthorized individuals could have a mildly adverse impact on the institution or UW System mission, safety, finances, or reputation. Data not specifically identified in another level is categorized as a “Moderate Risk.”

Low Risk:  Any data where the unauthorized disclosure, alteration, loss, or destruction would have no adverse impact on the mission, safety, finances, or reputation of the institution or UW System. Generally public information is classified as low risk.

Data Steward:  An individual who has direct responsibility to ensure that a data domain is classified appropriately. The data steward collaborates with institutional Security, Privacy and Data Officers.

Compensating Control:  A data security measure that is designed to satisfy the requirement for some other security measure that is deemed too difficult or impractical to implement and that meets the intent and rigor of the original control.

Institutions:  All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.

4. Procedures

These procedures establish a minimum baseline for data classification. It may be permissible to substitute a compensating control for a particular item below provided it meets the intent and rigor of the original control. Compensating controls shall be documented in writing and submitted by the institutional CIO to the UW System Chief Information Security Officer (CISO) for review. If there are any concerns, the institutional CIO and UW System CISO will engage with subject matter experts as needed. Upon recommendation by the UW System CISO, in concurrence with the UW System CIO, the compensating control will be routed to the UW System AVP for Information Security for approval. Resolution will be forwarded to the institutional CIO.

i. Each institution shall identify a qualified data steward(s) for each data domain controlled by the institution. For the purpose of these procedures, it is the responsibility of the data steward to work with Security, Privacy, and/or Data Officers to assure that the data is classified appropriately.

ii. Each institution shall provide training for their data stewards to ensure they understand their responsibilities and to enhance consistent classification of data..

iii. Each data steward must identify the major system(s) where their data resides, classify those systems according to the classifications defined in UW System Administrative Policy 1031, Information Security: Data Classification, document this classification in a hard copy or electronic format, and implement appropriate controls.

iv. Data stewards shall review data classification(s) at least annually.

v. Data covered by the Family Educational Rights and Privacy Act (FERPA) may contain elements from multiple classifications (i.e. data domains). The composition of these data domains may result in either a moderate or a high risk data classification. In these cases, protections prescribed by federal law will take precedence.

vi. Examples of data elements for each of the classifications include:

High Risk:

  • information protected from unauthorized disclosure by legislation such as the Health Insurance Portability and Accountability Act (HIPAA), or industry standards such as Payment Card Industry Data Security Standard (PCI DSS));
  • information referenced in s. 134.98, Wis. Stats.. An individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
  • Social Security Numbers;
  • driver’s license numbers and state resident/personal identification numbers;
  • financial account numbers (including credit or debit card numbers, bank account numbers) and associated security codes or passwords granting access to an individual’s account; or
  • deoxyribonucleic acid profile (as defined in s. 939.74(2d)(a)), Wis. Stats., or other unique physical biometric data (incl. fingerprint, voice print, retina/iris image) that can be used to identify an individual.
  • protected health information (e.g., any information about the health status, provision of health care, or payment, excepting workers compensation);
  • student educational records regulated under FERPA in conjunction with identifying references such as Social Security numbers or student identification numbers (excluding directory data);
  • login/password credentials granting access to high risk data;
  • trade secrets or information which the UW System, by choice, contract, or other agreement, has committed to ensuring confidentiality;
  • information and/or documentation where release would significantly impair the ability to secure the UW System data, operations and facilities;
  • University information that is statutorily exempt from public records requests per s. 19.31, et seq., Wis. Stats.

Moderate Risk:

  • information that is proprietary or produced only for use by members of the UW System community, such as project plans, email reports, and procedure documents plans;
  • student educational records without identifying references;
  • FERPA-related information not specifically classified as high risk
  • institutionally developed and/or owned computer applications and/or source code not designated as in the public domain;
  • directory information for employees who have chosen to withhold their personal information;
  • information used for internal purposes or exchanged pursuant to contract that is not considered high risk such as drafts;
  • donor or other third party partner information maintained by the University;
  • proprietary financial, budgetary or personnel information not explicitly authorized for public release;
  • emails and other communications regarding internal UW System matters which have not been specifically approved for public release;
  • unpublished research data not considered high risk.

Low Risk:

  • published “white pages” directory information;
  • maps, university websites or brochures intended for public use;
  • course catalogs and timetables;
  • press releases; and
  • institutional statements and other reports filed with federal or state authorities and generally available to the public.

5. Related Documents

Regent Policy Document 25-5, Information Security
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
Information Security Compensating Control Request Form

6. History

Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016