New Data Protection Levels for UC Institutional Information (data)
Per campus announcement in September (https://news.ucsc.edu/2018/09/policy-info-security.html) UC systemwide has recently completed a multi-year effort to review and revamp the Electronic Information Security policy (https://policy.ucop.edu/doc/7000543/BFB-IS-3). This updated policy includes a new classification method for university data and resources.
The Classification of Information and IT Resources standard is available here: https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html
The new data classification system will replace restricted and confidential terminology. While we are transitioning to the new classification system, Information Security will continue to support systems and processes using the restricted/confidential terms and Protection Levels. What is important at this point is to familiarize yourself with the new data classification methodology.
Previous
UCSC has previously used three tiers to define data:
- Restricted
- Confidential
- Public
Current
UCSC will now use a structure with four Protection Levels to define data:
- P4 - High level of protection
- P3 - Moderate level of protection
- P2 - Low level of protection
- P1 - Minimal level of protection
Why is this important?
The protection and availability levels help to scope the controls that need to be in place to ensure confidentiality, integrity and availability of our Institutional Information and IT resources.
How do I protect UC data?
First, understand the Protection Level for the data. It is important to classify the information accurately so that appropriate compliance requirements can be identified. Under-classification may result in inadequate protections that could lead to data breaches. Apply compliance requirements as outlined in UC or campus policy, law, regulation or contract.
Contact ITS with any questions or for guidance on protecting data. See the data classification web page for more information about Protection Levels, how to classify data and examples of P1-P4 Institutional Information.