Data Resource Classification

The IS-3 Electronic Information Security policy outlines the appropriate classification of Institutional Information and IT Resources to ensure their confidentiality, integrity and availability. These classifications are known as Protection Level and Availability Level. The classifications help to scope the controls and security requirements for of Institutional Information and IT resources.


Definitions

To better understand the classifications, there are some key words and phrases UCSC employees should know:

Proprietor:  Establishes and documents rules for use of, access to, approval for use of and removal of access to the Institutional Information related to their area of responsibility. Assumes overall responsibility for establishing the classification levels, access to and release of a defined set of Institutional Information.

Institutional Information: A term that broadly describes all data and information created, received and/or collected by the university. Examples of Institutional Information include documents, records, video recordings, databases, log files and all other data in electronic form.

IT Resource: A term that broadly describes IT infrastructure, software and/or hardware with computing and networking capability. This includes both UC-owned and personally owned devices while they store Institutional Information, are connected to UC systems, are connected to UC Networks or are used for UC business. Examples of IT Resources include personal and mobile computing devices, mobile phones, printers and other devices (both personally owned and UC-owned) that connect to any UC network.

Unit Information Security Lead (UISL): Responsible for supporting Proprietors in the determination of the Protection and Availability Level of Institutional Information and IT Resources under their area of responsibility. 


Classifying Institutional Information and IT Resources

The classification process is outlined in the Institutional Information and IT Resource Classification Standard.

Protection Level

All UC Institutional Information and IT Resources must be assigned one of four Protection Levels based on confidentiality and integrity requirements, with P4 requiring the highest level of protection and P1 requiring a minimal level of protection. 

Proprietors, with the support of their Security Subject Matter Experts (SMEs) and Unit Information Security Leads (UISLs), are responsible for determining the Protection Level for Institutional Information and IT Resources under their area of responsibility. ITS at UCSC has a Protection Level page for quick reference.

Availability Level

All UC Institutional Information and IT Resources must be assigned one of four Availability Levels based on the level of business impact that their loss of availability or service would have on UC, with A4 causing the highest level of impact and A1 causing a minimal level of impact. 

Proprietors, with the support of their Security Subject Matter Experts (SMEs) and Unit Information Security Leads (UISLs), are responsible for determining the Availability Level for Institutional Information and IT Resources under their area of responsibility. ITS at UCSC has an Availability Level page for quick reference.

Contact the ITS Support Center if you need assistance with IT security or IT policy.