Data Classification Standard

Note:
This is a new version of the Data Classification Standard. The archived version can be found here: Data Classification Standard - Archived 

 

--------------------

The UC Berkeley Data Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security(link is external) (UC BFB IS-3).

Issue Date: November 7, 2019 Originally issued July 16, 2012 (Administrative revision: April 22, 2013)
Effective Date: November 7, 2020 for Protection Levels; November 7, 2021 for Availability Levels.

Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: Information Security Office
Contact: Email cybersecurity@ucdavisedu

I. Overview

The UC Berkeley Data Classification Standard is UC Berkeley’s implementation of the UC Systemwide Data Classification Standard. 

UC BFB IS-3 establishes that Institutional Information and IT Resources must be protected according to their classifications. This Standard is a framework for assessing the adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. It provides the foundation for establishing security requirements for each classification of data.

Summary definitions and examples are included below. Full definitions and additional examples are available in the UC Systemwide Standard and Guides(link is external). Additionally, UC Berkeley-specific guidance is available in the Campus Data Classification Guideline

II. Scope

The Berkeley Data Classification Standard covers UC Berkeley Institutional Information and IT Resources. This Standard does not apply to Individually-Owned Data, which is defined as an individual’s own personal information that is not considered Institutional Information.

Note: Data classification does not alter public information access requirements. California Public Records Act or Federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.

III. Definitions

Definitions of Key Terms (capitalized and italicized) used in this Standard are included in UC Berkeley’s Information Security Policy Glossary

IV. Data Classification Levels

Business Impact

Considerations for evaluating potential adverse impact to UC Berkeley due to loss of data or resource confidentiality, integrity, or availability include:

  • Loss of critical Campus operations
  • Negative financial impact (money lost, lost opportunities, value of the data)
  • Damage to the reputation of the Institution
  • Risk of harm to individuals (such as in the case of a breach of personal information)
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs
  • Violation of University of California or UC Berkeley mission, policy, or principles

Data Classification Table - Protection Levels

 

Data Classification

Adverse Business Impact

 Definition Examples (not an exhaustive list) 
May be updated in response to changes in UC systemwide 
policy and UC Berkeley campus-level risk decisions.
Protection 
Level P4		 High

Institutional Information and related IT Resources that require notification to affected parties in case of a confidentiality breach. This category also includes data and systems that create extensive "Shared-Fate" risk, where a compromise would cause further and extensive compromise among multiple (even unrelated) sensitive systems.

Unauthorized disclosure or modification of P4 data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations. There is also an inherent significant risk to UC reputation and business continuity, along with harm or impairment to UC students, patients, research subjects, employees, or guests/program participants.
  • Data or systems that create extensive "Shared-Fate" risk between multiple sensitive systems, e.g., enterprise credential stores such as the CalNet credential database; Domain Name Service (DNS). This can include both campuswide and unit-level systems. 
  • Data elements with a Statutory Requirement for Notification to affected parties in case of a confidentiality breach, such as:
    • Social security number (SSN)
    • Driver's license number
    • California State identification number
    • Financial account numbers, credit or debit card numbers and financial account security codes, access codes, or passwords
    • Personal medical information, including protected health information (PHI) covered under HIPAA(link is external)
    • Personal health insurance information
    • A username or email address, in combination with a password or security question and answer that would permit access to an online account
  • General Data Protection Regulation(link is external) (GDPR) special categories (Article 9 ‘sensitive’) of identifiers.
  • Passwords, PINs and passphrases, or other authentication secrets that can be used to access P2 to P4 information or to manage IT Resources
  • Federal Controlled Unclassified Information (CUI)(link is external)
  • Financial aid and student loan information
  • Financial, accounting, and payroll systems

  • Individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) determines is high risk/P4

  • Individually identifiable human genetic information

  • High risk export controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR). Contact the Export Control Office(link sends e-mail) for a determination.
  • Industrial Control Systems affecting life and safety
  • Passport documentation (images and numbers)

Protection 
Level P3

(formerly UCB PL1

 Moderate

Institutional Information and IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate fines, penalties or civil actions. This classification level also includes lower risk items that, when combined, represent an increased risk. 

Unauthorized disclosure or modification of P3 data or resources could result in legal action, harm the privacy of a group, cause moderate financial loss, or contribute to reputational damage.
  • Personally identifiable information not already classified as P4. Includes personal information as defined in the General Data Protection Regulation(link is external) (GDPR)
  • FERPA-Protected Student Records (including Student ID) not containing P4 information. Does not include P2 Public Directory Information
  • Security camera recordings
  • Building entry records
  • Data related to animal research projects 
  • Attorney-Client Privileged Information
  • Research information classified as Protection Level 3 (P3) by an Institutional Review Board (IRB)
  • Low risk export controlled data or technology (EAR/ITAR). Contact the Export Control Office(link sends e-mail) for a determination.
  • IT security information, exception requests and system security plans
  • Staff and academic Personnel Records (including Employee ID) not containing P4 information. Does not include P2 Public Directory Information
  • Medical devices supporting diagnostics (not containing P4 information)
  • Industrial control systems affecting operations

Protection 
Level P2

(formerly UCB PL0 and PL1)

 Low

Institutional Information and IT Resources that may not be explicitly protected by statutes or other contractual regulations, but are not commonly intended for public use or access and should only be accessed on a need-to-know basis. 

Unauthorized disclosure or modification of P2 data could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group.
  • Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4
  • Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions
  • De-identified(link is external) human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements)
  • Routine email and business records not containing P3 or P4 information
  • Exams (questions and answers)
  • Calendar information not containing P3 or P4 information
  • Meeting notes not containing P3 or P4 information
  • Non-public research using publicly available data
  • Public Directory Information for faculty, staff, and students who have not requested a FERPA block
  • Licensed software/software license keys
  • Library paid subscription electronic resources

Protection 
Level P1

(formerly UCB PL0)

 Minimal Information intended for public access, but whose integrity is important. For P1, unauthorized modification is the primary protection concern. The application of minimum security requirements is sufficient.
  • Public-facing informational websites
  • Course listings and prerequisites
  • Public event calendars
  • Hours of operation
  • Parking regulations
  • Press releases
  • Published research

Data Classification Table - Availability Levels

 

Data Classification Adverse Business Impact Definition Examples (not an exhaustive list) 
May be updated in response to changes in UC systemwide 
policy and UC Berkeley campus-level risk decisions.
Availability 
Level A4		 High Definition: Loss of Availability would have a significant business impact to the Campus, a Campus Unit, and/or essential services. It may also cause serious financial losses. IT Resources that are required to be available by statutory, regulatory and/or legal obligations fall into this risk level. Critical IT Infrastructurealso falls into this category.
  • Central Campus authentication systems
  • Student learning management system
  • Backup data systems for A4 resources
  • Central system management consoles
  • Core network services, e.g. DNS, border/core routing, and firewalls
  • Enterprise email 
  • Financial, accounting, and payroll systems
  • Building access systems
  • Medical records system
  • IT infrastructure and industrial control systems affecting life and safety (e.g. emergency 911 location system)
Availability
Level A3		 Moderate Definition: Loss of availability would result in moderate financial losses and/or reduced customer service.
  • Event ticketing systems
  • Point-of-sale (POS) systems
  • Campus time reporting system
  • Issue tracking systems
  • Security logs
  • Building management systems
  • File servers supporting business operations
  • Operational knowledge base
  • Clinical trial management system
  • Medical devices supporting diagnostics
  • Industrial control systems affecting operations
  • Collaboration services such as calendaring, file sharing, code repositories
Availability
Level A2		 Low Definition: Loss of availability may cause minor losses or inefficiencies.
  • Departmental websites
  • Student life management system
  • Staff learning management system
  • Informational knowledge base
Availability 
Level A1		 Minimal Definition: Loss of availability poses minimal impact or financial loss. 
  • Individual workstations, laptops, and other mobile devices
  • Public directory
  • Copy machines or printers

V. Additional Information

Statutory Requirement for Notification

See definition in UC Berkeley’s Information Security Policy Glossary.

The following registration and approval requirements apply to information with a statutory requirement for notification (“Notice Triggering” information):

VI. Responsibilities

The following roles have key responsibilities related to this Standard. Details are available in UC Berkeley’s Roles and Responsibilities Policy Draft.

  • Institutional Information and IT Resource Proprietors
  • Researchers
  • Service Providers
  • Unit Heads
  • Workforce Members

VII. Related Documents and Policies 

 

Change Log

  • Oct. 11, 2019: Draft posted on Information Security Office website
  • Nov. 7, 2019: Updates endorsed by Information Risk Governance Committee
  • Nov. 27, 2019: Clarification on passport data classification added
  • Dec. 12, 2019: Clarification on P2 de-identified human subject or patient information added
  • Jan. 20, 2020: Clarification on P4 human subject and human genetic information added; clarification on P4 and P2 high risk export controlled data or technology added