Data and IT Resource Classification Standard

The UC Berkeley Data and IT Resource Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security (UC BFB IS-3), and in the Campus Cyber-risk Responsible Executive (CRE) by the UC Business and Finance Bulletin IS-12, IT Recovery (UC BFB IS-12).

Issue Date: November 7, 2019 (version 2); revised June 13, 2024. Originally issued July 16, 2012 (version 1)
Effective Date: November 7, 2020 for Protection Levels; July 1, 2022 for Availability Levels; December 31, 2024 for Recovery Levels.

Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: Information Security Office
Contact: Information Security Policy Manager, security-policy@berkeley.edu

I. Overview

The UC Berkeley Data and IT Resource Classification Standard is UC Berkeley’s implementation of the UC Systemwide Institutional Information and IT Resource Classification Standard, and Recovery Level classification from IS-12.

UC BFB IS-3 establishes that all Institutional Information and IT Resources must be protected according to their Protection (P) Level and Availability (A) Level classifications. This Standard is a framework for assessing the adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. It provides the foundation for establishing security requirements for each classification level.

UC BFB IS-12 establishes Recovery Level (RL) to guide IT Recovery planning and preparation for IT Resources. At UC Berkeley, Recovery Level classification is required for non-research IT Infrastructure and Services to which IS-12 applies.

Summary definitions and examples are included in the classification tables below. Full definitions and additional examples for Protection Level and Availability Level are available in the UC Systemwide Classification Standard and Guides. Additional, UC Berkeley-specific guidance is available in the Campus Data and IT Resource Classification Guideline. See IS-12 and the Campuswide IT Recovery Implementation website for Recovery Level classification guidance beyond the information in this Standard.

II. Scope

The Berkeley Data and IT Resource Classification Standard covers UC Berkeley Institutional Information and IT Resources. This Standard does not apply to Individually-Owned Data, which is defined as an individual’s own personal information that is not considered Institutional Information

Note: Classification does not alter public information access requirements. California Public Records Act or Federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.

III. Definitions

Definitions of Key Terms (capitalized and italicized) used in this Standard are included in UC Berkeley’s Information Security Policy Glossary

IV. Classification Levels

Business Impact

Considerations for evaluating potential adverse impact to UC Berkeley due to loss of data or resource confidentiality, integrity, or availability include:

Loss of critical Campus operations
Negative financial impact (money lost, lost opportunities, value of the data)
Damage to the reputation of the Institution
Risk of harm to individuals (such as in the case of a breach of personal information)
Potential for regulatory or legal action
Requirement for corrective actions or repairs
Violation of University of California or UC Berkeley mission, policy, or principles

Protection Level Classification Table

Proprietors may raise Protection Levels for a specific use case. An exception is required to lower a published Protection Level. Please contact the Information Security Office if an item below appears to be misclassified, or if you are unable to determine a Protection Level.

Classification	Adverse Business Impact	Definition	Examples (not an exhaustive list) May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions.
Protection Level P4 (formerly UCB PL2 and PL3)	High	Institutional Information and related IT Resources that require notification to affected parties in case of a confidentiality breach. This category also includes data and systems that create extensive "Shared-Fate" risk, where a compromise would cause further and extensive compromise among multiple (even unrelated) sensitive systems. Unauthorized disclosure or modification of P4 data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations. There is also an inherent significant risk to UC reputation and business continuity, along with harm or impairment to UC students, patients, research subjects, employees, or guests/program participants.	Data or systems that create extensive "Shared-Fate" risk between multiple sensitive systems, e.g., enterprise credential stores such as the CalNet credential database; Domain Name Service (DNS). This can include both campuswide and unit-level systems. Data elements with a Statutory Requirement for Notification to affected parties in case of a confidentiality breach, such as: Government issued identification numbers: Social Security number (SSN), Driver's license number, California ID card number, Tax ID number, passport number, military ID number, other government-issued ID numbers Financial account numbers, credit or debit card numbers and financial account security codes, access codes, or passwords Personal medical information, including protected health information (PHI) covered under HIPAA Personal health insurance information Biometric data used for authentication purposes, including facial recognition A username or email address, in combination with a password or security question and answer that would permit access to an online account Genetic data as defined by California AB-825 (effective 1/1/2022) General Data Protection Regulation (GDPR) "special categories" of identifiers (Article 9). Passwords, PINs and passphrases, or other authentication secrets that can be used to access P4 information or to manage P4 IT Resources Federal Controlled Unclassified Information (CUI) Personally Identifiable information about loans (including student loans), federally funded student financial aid, and any other financial aid that requires repayment Official financial, accounting, and payroll systems of record and authoritative source systems; also systems that handle and process financial transactions, and the account codes, account numbers, PINs, etc. necessary to make the transactions Individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) or Campus Privacy Office determines is high risk/P4 Human genomic data subject to GDPR or HIPAA (regardless of de-identification status) High risk export controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR). Contact the Export Control Office for a determination. Industrial Control Systems affecting life and safety individually identifiable criminal background check information
Protection Level P3 (formerly UCB PL1)	Moderate	Institutional Information and IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate fines, penalties, or civil actions. This classification level also includes lower risk items that, when combined, represent an increased risk. Unauthorized disclosure or modification of P3 data or resources could result in legal action, harm the privacy of a group, cause moderate financial loss, or contribute to reputational damage.	500 or more records of personally identifiable information not specifically classified elsewhere in this Standard Personal information as defined in the European General Data Protection Regulation (GDPR) or China’s Personal Information Protection Law (PIPL) regardless of record count. Must not include GDPR "special categories" of identifiers (Article 9) - see P4 section FERPA-Protected Student Records not containing P4 information. Does not include: P2 Public Directory Information Student IDs with no additional identifying or FERPA-protected information -OR- student email addresses with no additional identifying or FERPA-protected information Security camera recordings, body-worn video system recordings, and cameras recording cash handling or payment card handling areas Building entry records Individually identifiable location data that tracks an individual's movement or building/room-level location Animal research protocols, and data related to animal researchers and members of the Animal Research Committee Attorney-Client Privileged Information Individually identifiable human subject research data not containing P4 data elements and that the IRB or Campus Privacy Office have not determined is high risk. This includes human genomic data that can be re-identified using publicly available data. Low risk export controlled data or technology (EAR/ITAR). Contact the Export Control Office for a determination. IT security information, exception requests and system security plans Staff and academic Personnel Records not containing P4 information. Does not include P2 Public Directory Information Medical devices supporting diagnostics (not containing P4 information) Industrial control systems affecting operations
Protection Level P2 (formerly UCB PL0 and PL1)	Low	Institutional Information and IT Resources that may not be explicitly protected by statutes or other contractual regulations, but are not commonly intended for public use or access and should only be accessed on a need-to-know basis. Unauthorized disclosure or modification of P2 data could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group.	Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4 Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions De-identified human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements) that the IRB or Campus Privacy Office have not determined is considered P3 or P4 Routine email and business records not containing P3 or P4 information Exams (questions and answers) Calendar information not containing P3 or P4 information Meeting notes not containing P3 or P4 information Non-public research using publicly available data UCPath Employee ID Public Directory Information for faculty, staff, and students who have not requested a FERPA block Licensed software/software license keys Library paid subscription electronic resources
Protection Level P1 (formerly UCB PL0)	Minimal	Information intended for public access, but whose integrity is important. For P1, unauthorized modification is the primary protection concern. The application of minimum security requirements is sufficient.	Public-facing informational websites Course listings and prerequisites Public event calendars Hours of operation Parking regulations Press releases Published research

Availability Level Classification Table

Proprietors may raise or lower the Availability Level based on use case. An exception is not required for Availability Level changes. Please contact the Information Security Office if an item below appears to be misclassified, or if you are unable to determine an Availability Level.

Classification	Adverse Business Impact	Definition	Examples (not an exhaustive list) May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions.
Availability Level A4	High	Definition: Loss of Availability would have a significant business impact to the Campus, a Campus Unit, and/or essential services. It may also cause serious financial losses. IT Resources that are required to be available by statutory, regulatory and/or legal obligations fall into this risk level. Critical IT Infrastructure also falls into this category.	Central Campus authentication systems Student learning management system Backup data systems for A4 resources Central system management consoles Core network services, e.g. DNS, border/core routing, and firewalls Enterprise email Official financial, accounting, and payroll systems of record and authoritative source systems; also systems that handle and process financial transactions, and the account codes, account numbers, PINs, etc., necessary to make the transactions Building access systems Medical records system IT infrastructure and industrial control systems affecting life and safety (e.g. emergency 911 location system) Campus procurement system Campus time reporting system
Availability Level A3	Moderate	Definition: Loss of availability would result in moderate financial losses and/or reduced customer service.	Event ticketing systems Point-of-sale (POS) systems Issue tracking systems Security logs Building management systems File servers supporting business operations Operational knowledge base Clinical trial management system Medical devices supporting diagnostics Industrial control systems affecting operations Collaboration services such as calendaring, file sharing, code repositories
Availability Level A2	Low	Definition: Loss of availability may cause minor losses or inefficiencies.	Departmental websites Student life management system Staff learning management system Informational knowledge base
Availability Level A1	Minimal	Definition: Loss of availability poses minimal impact or financial loss.	Individual workstations, laptops, and other mobile devices Public directory Copy machines or printers

Recovery Level Classification Table

Recovery Levels are identified in partnership between the IT Resource Proprietor(s) and the Service Provider, and are based on the functional requirements of the service. For questions about the interpretation of IS-12 or the application of Recovery Levels at UC Berkeley, please visit the Campuswide IT Recovery Implementation website.

Classification	Adverse Business Impact	Definition	Examples (not an exhaustive list) May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions.
Recovery Level R5	Very High	15 minutes	Core technology and infrastructure Examples include: campus-wide authentication service, campus-wide key card access, campus-wide networking, Enterprise storage systems
Recovery Level R4	High	Up to 6 hours	Critical 1 - Life/safety/alternatives not sustainable Examples include: VPN services, reporting platforms, CRM systems, animal life/safety, electronic medical record (EMR) system
Recovery Level R3	Moderate	Up to 24 hours	Critical 2 - Alternatives sustainable up to 24 hours Examples include: campus financial systems, HR systems, campus Zoom, campus website
Recovery Level R2	Low	Up to 5 days	Necessary Examples include: Research storage systems, departmental informational websites
Recovery Level R1	Minimal	Up to 30 days	Deferrable Examples include: productivity tracking tools (depending on use case), internal library staff applications, museum archives

V. Additional Information

Statutory Requirement for Notification

See definition in UC Berkeley’s Information Security Policy Glossary

The following registration and approval requirements apply to information with a statutory requirement for notification (“Notice-Triggering” information):

Campus Credit Card Coordinator approval is required to handle credit card transactions.
Storage, transmission or use of Notice-Triggering data requires registration in the campus asset registration portal.

VI. Responsibilities

The following roles have key responsibilities related to this Standard. Details are available in UC Berkeley’s Roles and Responsibilities Policy unless otherwise noted

Institutional Information and IT Resource Proprietors
Researchers
Service Providers
Unit Heads
Unit Information Security Lead
Unit IT Recovery Leads (applies to Recovery Level only - see IS-12, Sec. V, for details)
Workforce Members

VII. Related Documents and Policies

Change Log

July 16, 2012 - version 1: Original issue date
Apr. 22, 2013: Administrative revision
Nov. 7, 2019 - version 2: Major revision to align with UC systemwide Classification Standard approved by Information Risk Governance Committee
Nov. 27, 2019: Clarification on passport data classification added
Dec. 12, 2019: Clarification on P2 de-identified human subject or patient information added
Jan. 20, 2020: Clarification on P4 human subject and human genetic information added; clarification on P4 and P3 export controlled data or technology added
Jan. 23, 2020: Update to the P4 "notice-triggering data" list to reflect changes in California law
Mar. 5, 2020: Clarification on P4 financial, accounting, and payroll systems; P3 Individually identifiable location data; and P4 Passwords, PINs and passphrases added
Mar. 23, 2020: Clarification on A4 examples; moved "Campus time reporting system" from A3 to A4
Jul. 6, 2020: Clarified protection level of P3 and P4 human genomic data
Oct. 7, 2020: Clarified that UCPath Employee ID is P2, not P3
Dec. 2, 2020: Added information about when Proprietors are able to raise and lower published classification levels for a specific use case.
Jan. 29, 2021: Updated effective date for Availability Levels.
Apr. 11, 2021: Clarified that either the IRB or Campus Privacy Office can determine whether human subject data is "high risk".
Jul. 28, 2022: Updated P3 examples for personally identifiable information, FERPA-protected student records, security camera recordings, and animal research data.
Jun. 13, 2024 - version 2.1: Added Recovery Level from UC Business and Finance Bulletin IS-12, IT Recovery (UC BFB IS-12). Effective date is based on the Campuswide IT Recovery Implementation Plan. Update approved by Information Risk Governance Committee.

Table of Contents: