it.ucsf.edu

UCSF Policy 650-16 Addendum F, UCSF Data Classification Standard

Policy Type

Standard

data_classification_standard_v1_final.pdf


Document Owner: Patrick Phelan
Department Contact: UCSF IT Security
Issue Date: 4/24/17
Effective Date: 4/24/17
Reviewed/Revised Date: 4/20/17

 

Purpose:

The purpose of this Data Classification Standard is to direct the method for classifying UCSF’s electronic data. This document demonstrates UCSF’s determination of the Protection Levels of each classification of UCSF data in compliance with UC Business and Finance Bulletin IS-2 Inventory, Classification, and Release of University Electronic Information.

 

Overview and Scope:

This standard applies to all electronic data managed and owned by UCSF, wherever it may be stored. Data storage locations may include, but are not limited to, data centers, data accessed by or stored remotely on electronic devices, and UCSF data that is stored with contracted third parties including Business Associates, cloud service providers, vendors, contractors, and temporary staff.

This data classification methodology in no way supersedes any state or federal government classifications assigned contractually or otherwise.

UCSF electronic data shall be classified according to the Data Classification Model described in this standard. The Data Classification Model will be used to determine the appropriate data classification for UCSF electronic data created, maintained, processed, or transmitted utilizing electronic resources. Under this model data will be classified in accordance with external regulatory, internal regulatory, and other contractual requirements, and in accordance with the potential adverse impact of loss, theft, or unavailability of the data.

In the event a specific set of electronic data is classified as fitting within a combination of two or more of the data classifications, that data shall be managed according to the most restrictive and/or highest applicable data classification.

In the event a specific set of electronic data does not fit into the current Data Classification Model, please contact the Data Security Compliance Program (DSCP) manager for the determination of the appropriate data classification. DSCP shall review the Data Classification Model at least annually and update as needed to include additional data types.

 

Business Impact:

Considerations for evaluating the potential adverse business impact to UCSF due to loss or compromise of the electronic data’s confidentiality or integrity include:
• Loss of critical UCSF operations
• Negative financial impact (actual money lost, lost opportunities, value of the data itself)
• Damage to UCSF’s reputation
• Potential for regulatory or legal action
• Violation of UCSF’s missions, policies, or principles
• Requirement for corrective action or repairs

 

Data Classification Model:

Data Classification Model:​

 

 

Restricted Data

Sensitive Data

Internal Data

Public Data

UCOP Protection Level

P4 - High

P3 - Moderate

P2 - Low

P1 - Minimal

Policy & Legal Requirements

Protection of data is required by federal or state law or regulation, or contractual obligation, and may be subject to data breach notification requirements. UCSF Minimum Security Standards apply.

Protection of data is required by the data owner or other confidentiality agreement, and may be required by federal or state law or regulation or by policy. UCSF Minimum Security Standards apply.

Data may not be specifically protected by federal or state law or contractual obligation but are generally not intended for public use or access. Protection of data is governed by University policy. UCSF Minimum Security Standards apply.

Protection of data is governed by University policy. UCSF Minimum Security Standards apply.

Access

Only authorized individuals with approved access; signed confidentiality, non-disclosure, and/or other applicable agreement as permitted by law; and a business need to know

Only authorized individuals with approved access and a business need to know

Intended audience for data access under the design of the system

Data intended to be readily obtainable by the public.

Adverse Business Impact
Statement

High Adverse Impact to:

- Regulatory or legal action

- Violations of UCOP or UCSF policies and principles

- UCSF’s reputation

- UCSF’s finances

- UCSF critical operations

Moderate Adverse Impact to:

- Regulatory or legal action

- Violations of UCOP or UCSF policies and principles

- UCSF’s reputation

- UCSF’s finances

- UCSF critical operations

Low Adverse Impact

Minimal Adverse Impact

Data Types

Personally Identifiable Information (PII)

Protected Health Information (PHI)

Research Health Information (RHI)

Payment Card Industry (PCI) Data

Confidential Security Information

Licensed Proprietary IP and Product Development Information

University Intellectual Property

Employee Information

Sensitive Faculty Activities

Student Information

Donor Information

Current Litigation/Investigation Materials

Contracts

Physical Building Designs

Financial Information

Public Directory Information

Routine Business Records and Email

Research Using Publicly Available Data

Public-facing Websites

Published Research

Maps

Press Releases

Course Catalogs

Parking Regulations

 

 

Restricted Data Types:

1. Personally Identifiable Information (PII)

1. Personally Identifiable Information (PII)

  1. PII is protected by federal and state laws and regulations, including federal regulations administered by the U.S. Department of Homeland Security (DHS), and is defined by DHS as “any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.” PII must be protected prior to release in accordance with the Public Records Act or other disclosures required by law.
  2. PII includes but is not limited to the following:

1. Any of the following stand-alone elements:

  1. Full Social Security Number (SSN)
  2. Driver's license or State ID number
  3. Passport number
  4. Visa number
  5. Alien Registration Number
  6. Fingerprints or other biometric identifiers

2. Full name in combination with any of the following elements:

  1. Mother's maiden name
  2. Date of birth
  3. Last 4 digits of SSN
  4. Citizenship or immigration status
  5. Ethnic or religious affiliation

2. Protected Health Information (PHI)

2. Protected Health Information (PHI)

  1. PHI is protected by the federal Health Insurance Portability and Accountability Act (HIPAA) and includes all individually identifiable health information, held or transmitted by a Covered Entity or its business associate, that relates to the health or health care of an individual, and specifically includes but is not limited to the following:
    1. Information about an individual’s past, present, or future physical or mental health condition, or provision of and/or payment for healthcare to the individual, which includes at least one of the following identifiers:
      1. Names
      2. All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
      3. All elements of dates, except year, and all ages over 89 or elements indicative of such age
      4. Telephone numbers
      5. Fax numbers
      6. Email addresses
      7. Social security numbers
      8. Medical record numbers
      9. Health plan beneficiary numbers
      10. Account numbers
      11. Certificate or license numbers
      12. Vehicle identifiers and serial numbers, including license plate numbers
      13. Device identifiers and serial numbers
      14. Web Universal Resource Locators (URLs)
      15. Internet Protocol (IP) addresses
      16. Biometric identifiers, including finger and voice prints
      17. Full face photographs and any comparable images
      18. Any other unique, identifying number, characteristic, or code, except as permitted for re- identification in the Privacy Rule

3. Research Health Information

3. Research Health Information (RHI)

  1. Research health information is individually identifiable health information collected outside of the covered entity setting (i.e., the researcher is acting solely as a researcher with no clinical interaction, and the data is collected outside of UCSF’s HIPAA covered entity providers).

4. Payment Card Industry Data (PCI) Data

4. Payment Card Industry Data (PCI) Data

  1. PCI Data is data subject to the Payment Card Industry Data Security Standard/s (PCI-DSS), developed by the PCI Security Standards Council and adhered to by the University, and includes but is not limited to the following:
    1. Cardholder Data:
      1. Primary Account Number (PAN)
      2. Cardholder name
      3. Service code
      4. Expiration date
    2. Sensitive Authentication Data:
      1. Full magnetic stripe data
      2. CAV2/CVC2/CVV2/CID
      3. PIN/PIN Block

5. Confidential Security Information

5. Confidential Security Information

  1. Information descriptive of the specific security measures that safeguard restricted (confidential or personal) information resources represents a special class of information that should be protected from unauthorized access or disclosure. Such information – whether hardware configurations, management controls or security practices, or procedures employed – could provide a roadmap for malicious individuals to attack University applications, systems, and networks. Confidential security information includes but is not limited to the following:
    1. Documentation of known or potential vulnerabilities and risks
    2. Results of security scans and assessments
    3. Implementation/ configuration details for security devices and tools (e.g. specific software version numbers, network diagrams, vendor definition updates, and software modules)
    4. Implementation/ configuration details for systems that provide security services for restricted data types. Security services include services which ensure confidentiality, integrity, and availability for other systems (e.g. authentication systems, VPN’s, systems management consoles, backup systems, credential stores, data loss prevention systems, system inventories, and encryption)
    5. Firewall and intrusion detection system logs
    6. Private credentials used to authenticate users, processes, and systems
    7. Security incident documentation including (e.g. indicators of compromise, remediation plans, remediation efforts, data identification analysis, documentation of malicious presence in the environment, and forensic analysis)
    8. Permission attributes identifying the resources to which an individual has access

6. Licensed Intellectual Property and Product Development Information

6. Licensed Intellectual Property and Product Development Information

  1. Licensed intellectual property and product development information is third party confidential information licensed to outside industries to the extent of identifying the products or services the third party (typically pharma and biotech industries) is developing with UCSF, and the third party’s commercialization plans for those products and services. Licensed intellectual property and product development information includes but is not limited to the following:
    1. Medical indication for which the third party is developing the product
    2. Information identifying the chemical structure of a lead therapeutic candidate in development
    3. Financial terms of the license
    4. Proprietary company information relating to existing products in the industry partner’s pipeline
    5. Information relating to the product development timeline

Sensitive Data Types:

1. University Intellectual Property

1. University Intellectual Property

  1. University intellectual property relates to creations of the mind and includes electronic data which the University may patent or gain from financially through intellectual property commercialization partnerships and commercial entities. University intellectual property includes patents, copyrights, trademarks, and trade secrets, but does not include copyrighted materials which are publicly available.

2. Employee Information

2. Employee Information

  1. Employee information is managed by Human Resources or Academic Personnel, protected by state or federal laws and regulations, including regulations of the United States Department of Labor, and is data directly associated with an employee or applicant for employment, which must be protected prior to release in accordance with applicable policy and law. Employee information includes but is not limited to the following:
    1. Contents of Employment applications, other than Personally Identifiable Information (PII)
    2. Personnel files
    3. Performance evaluations
    4. Benefits information

3. Sensitive Faculty Activities

3. Sensitive Faculty Activities

  1. Sensitive faculty activities include information about the teaching, research, and service activities of UCSF faculty. Sensitive faculty activities include but are not limited to the following:
    1. Academic research or teaching activities involving use of live animal research subjects, or other controversial matters
    2. Academic research or teaching activities involving control of hazardous materials, or technology which presents a high risk of harm to persons or property
    3. Academic service activities involving affiliation with an organization which, if made known to the general public may result in risk of bodily or other harm to the individual

4. Student Information

4. Student Information

  1. The Family Educational Rights and Privacy Act (FERPA) protects from disclosure most records that are directly related to a student and that are maintained by UCSF or a party acting for UCSF. Student information includes but is not limited to the following:
    1. Grades, exam papers, and test scores
    2. Class lists
    3. Student course schedules
    4. Evaluations and disciplinary records
    5. Student financial records
    6. Directory information for students who have requested that information about them not be released as public information
    7. Employment records of a student, if the student's employment is contingent upon the fact that he or she is a student

5. Donor Information

5. Donor Information

  1. Donor Information is information about financial asset donations that has a stated purpose at the bequest of the donor, and includes but is not limited to:
    1. Donor's full name
    2. Donor contact information
    3. Securities donated
    4. Real estate donations
    5. Planned giving arrangements
    6. Amount/value donated

6. Current Litigation/Investigation Materials

6. Current Litigation/Investigation Materials

  1. Current litigation materials are electronically stored information that pertains to a current litigation hold implemented by UCSF’s Office of General Counsel. These materials include but are not limited to:
    1. Word, Excel, PowerPoint, or other office application documents
    2. PDF documents
    3. E-mail
    4. Calendar items
    5. Electronic voice mail
    6. USB drives

7. Contracts

7. Contracts

  1. Contracts are electronic copies of agreements, to which UCSF is a party, creating obligations enforceable by law. Electronic contracts include but are not limited to the following formats:
    1. Word documents
    2. PDFs
    3. Scanned images

8. Physical Building Designs

8. Physical Building Designs

  1. Physical building designs are defined as detailed floor plans, architectural drawings, or other renderings that show restricted areas, animal care facilities, mechanical spaces, or other spaces in the buildings not considered accessible for public use. Physical building designs include but are not limited to the following formats:
    1. Office documents (Visio, Word, etc)
    2. Autocad
    3. PDFs
    4. Images
    5. Videos

9. Financial Information

9. Financial Information

  1. Financial information includes monetary facts about UCSF and/or other parties who participate in financial transactions with UCSF that are used in billing, credit assessment, loan transactions, and other similar activities, that must be protected prior to release in accordance with the California Public Records Act or other disclosures required by law. Financial Information includes but is not limited to:
    1. Taxpayer identification numbers
    2. Credit ratings
    3. Account numbers
    4. Account balances

Internal Data Types:

1. Public Directory Information

1. Public Directory Information

  1. Public directory information includes information about academic personnel, staff personnel, and students that is designated as public information in accordance with UCOP policy, and includes but is not limited to the following:
    1. Non-Personal Academic Personnel Information:
      1. Name
      2. Date of hire or separation
      3. Current position title
      4. Current rate of pay
      5. Organization unit assignment including office address and telephone number
      6. Full-time, part-time, or other employment status
    2. Staff Personnel Records Designated as “Public Information”
      1. Name
      2. Date of hire
      3. Current position title
      4. Current salary
      5. Organizational unit assignment
      6. Date of separation
      7. Office address and office telephone number
      8. Current job description
      9. Full-time or part-time, and appointment type
    3. Public Student Directory Information (unless a student notifies UCSF in writing or via electronic procedures that any or all of these may not be disclosed (FERPA block))
      1. Name
      2. Address (local and/or permanent)
      3. E-mail address
      4. Telephone numbers
      5. Date and place of birth
      6. Field(s) of study
      7. Dates of attendance
      8. Grade level
      9. Enrollment status
      10. Number of course units in which enrolled
      11. Degrees and honors received
      12. Most recent previous education institution attended
      13. Photo
      14. Participation in officially recognized activities, including athletics
      15. For participants on intercollegiate University athletic teams: name, weight, and height