Data Risk Classification Policy Revised

UB Seal on Crosby Hall.

Published May 7, 2018 This content is archived.

The Data Risk Classification Policy, approved and signed by President Tripathi, is available in the University Policy Library

Overview

Print

The University at Buffalo is committed to protecting the confidentiality, integrity, and availability of data important to the university’s mission. All university data must be classified based on risk category and protected using the appropriate security measures consistent with the minimum standards for the classification category. The standard for protecting the data becomes more stringent as the risk from disclosure increases.

UB classifies its data into three risk-based categories to determine who is allowed to access the data and what security precautions are required to protect the data:

Data Classification

Risk Classification Risk From Disclosure
Category 1 - Restricted Data
High
Category 2 - Private Data Moderate
Category 3 - Public Data Low

This policy facilitates applying the appropriate security controls to university data and assists data trustees in determining the level of security required to protect data.

Policy Revisions

The policy was revised to:

  • change the title of the policy from Data Classification Standard/Data Use Standard to Data Risk Classification
  • change the number of classification categories from four (i.e., Category I:  Regulated Private Data; Category II:  Protected Data; Category III:  Internal Use Data; Category IV:  Public Data) to three (i.e., Category 1 – Restricted Data, Category 2 – Private Data, Category 3 – Public Data); this change aligns the UB categories with the New York State Office of Information Technology Services Information Classification Standard
  • revise data role terminology
  • add HIPAA compliance reference
  • provide additional data risk classification guidance including
    • FIPS 199 security categorization definitions
    • Security standard crosswalks
    • Data Risk Classification Examples

Applicability

This policy applies to all university data and to all user-developed data sets and systems that may access these data regardless of the environment where the data reside (e.g., cloud systems, servers, personal computers, mobile devices). The policy applies regardless of the media on which data reside (e.g., electronic, printouts, CD, microfiche) or the form they may take (e.g., text, graphics, video, voice).

Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.

Guidance

Questions can be directed to the appropriate office.

Contact Phone Email
Vice President and Chief Information Officer 716-645-7979 vpcio@buffalo.edu
Information Security Officer 716-645-6997 sec-office@buffalo.edu
Records Management Officer
716-645-5464 hines@buffalo.edu