Data Classification and Security
DATE: June 4, 2012
TO: Deans, Directors, and Department Chairs
FROM: Elias G. Eldayrie
Vice President & CIO
SUBJECT: Data Classification Policy
It is a responsibility of all faculty and staff to secure the confidentiality of data stored at the University of Florida.
A crucial first step is identifying data requiring specific protection.
The university’s Data Classification policy http://www.it.ufl.edu/policies/information-security-and-compliance/data-classification/ provides the basis for protecting the confidentiality of UF data by establishing a data classification system. Deans, directors, and department chairs, in their roles as data owners, are responsible for classifying data used within their units. There are three classification levels:
* Restricted – Data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records and export controlled technical data.
* Sensitive – Data whose loss or unauthorized disclosure would impair the functions of the university, cause
significant financial or reputational loss or lead to likely legal liability. Examples include, but are not limited to, research work in progress, animal research protocols, financial information, strategy documents and information used to secure the university’s physical or information environment.
* Open – Data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner’s designee or delegate approval. Examples include, but are not limited to, advertisements, job opening announcements, university catalogs, regulations and policies, faculty publication titles and press releases.
Existing and future information security policies will specify required controls for specific data and information systems based upon these classifications. The full Data Classification policy and a guide to assist users are available at: www.it.ufl.edu/policies.