Data Classification and Protection Profiles

PLEASE NOTE:
This page is currently under review and is being updated by the Information Security Office. If you have questions contact us at security.berkeley.edu. 

Matching Data with IT Services

The Berkeley Data Classification Standard and associated Protection Profiles are designed to appropriately match campus data with IT services.

This framework helps answer questions such as:

  • What kinds of data require extra security protections?
  • Where can I store data that requires extra security protection?
  • What service providers (on or off-campus) are appropriate for my data/system?
  • What kind of data is under my custodianship?
  • Can I host sensitive/notice-triggering data?
  • What security controls are required for sensitive data?

Data Classification Standard and Protection Profiles

The Berkeley Data Classification Standard groups data in one of four data protection levels based on data sensitivity, measured by the level of adverse business impact that would be caused by a breach of confidentiality.

The Minimum Security Standard for Electronic Information (MSSEI) specifies the controls required to protect the integrity and confidentiality of Berkeley campus data.  MSSEI implementation requirements vary based on the data protection level and device/use category.

The Minimum Security Standard for Networked Devices (MSSND) is required for all devices, including those that do not handle institutional data.

Data Registration

All covered systems and data must be inventoried and then registered with the Information Security Office according to MSSEI 1.2 and MSSEI 1.3.

Are you unsure about the data classification of a certain data set or system? Follow these steps:

  1. Review the Berkeley Data Classification Standard to see if your data set is covered and read any corresponding requirements.
  2. If after reviewing the standard you are still unsure, email the IT Policy office with any classification questions. Please include as much detail as possible such as (be careful not to include any real, sensitive data records in the request):
    • Source and owner of the data set
    • Full list of data elements in question
    • Approximate number of records
    • Any potential external compliance requirements for the data set (e.g. HIPAA, CPHS, FISMA, FERPA)

Resource Proprietor Approval

All Berkeley systems require a Berkeley Campus Administrative Official to accept the role of Resource Proprietor for the system.

Resource Proprietors have multiple responsibilities defined in the UC Business Finance Bulletin IS-3 and Berkeley Minimum Security Standard for Electronic Information.  These responsibilities include classifying data and systems for which they have a responsibility and educating users of data and systems regarding their role in protecting information.  (See MSSEI 15.3 Data Access Agreement Guidelines.)

UC Business Finance Bulletin IS-2.IV.C.1

Resource proprietors are those individuals responsible for information resources and processes supporting University functions. This includes individuals who create the information, such as the owner of intellectual property. Resource proprietors should establish and review procedures to ensure compliance with federal or state regulations or University policy. 
Resource proprietors are responsible for ensuring that University Resources are used in ways consistent with the mission of the University as a whole. The Resource Proprietor should ensure that recipients of restricted information are informed that appropriate security measures must be in place before restricted information is transferred to the destination system. Resource proprietors must also register their data accurately and completely and annually review, update and renew their system registration (see MSSEI 1.2 and 1.3).

Resource Proprietors are responsible for:

  • ensuring the inventory and classification of information for which they have responsibility,
  • in consultation with the Resource Custodian, determining the level of risk and ensuring implementation of appropriate security controls to address that risk,
  • approving requests for access, release, and disclosure of information, and
  • ensuring appropriate security awareness training for individuals they authorize to access information. 


For more information, email the IT Policy office.