Have you ever copied a work file to your USB drive at the end of the day and wondered, "Is it safe to copy this data here?" Have you ever sent an email with a Social Security Number, a credit card number or student grades and wondered "Should I send this in email?"
You are not alone in asking these questions. Every day, all kinds of data—some of it very sensitive—flows across systems, gets transferred from one device to another, gets copied, stored, and deleted. We need to ask ourselves these questions. But, more importantly, we need to know the answers. Protecting the confidentiality and integrity of Berkeley Campus Data is everyone's business.
Why Classify Data?
Data classification helps identify appropriate levels of information sharing and information security. Different types of information present various risks and therefore require different protections. Some information is found with a quick search of the UC Berkeley public directory. Other information is protected by law and has the potential to cause damage if accessed inappropriately.
When classifying data at Berkeley we ask the following questions: What would be the adverse impact to the campus if the integrity or confidentiality of this data were compromised? Would critical campus operations be interrupted? Would the campus lose money? Would our reputation be impacted? Would there be legal ramifications that could, in turn, require expensive corrective actions? Would the campus mission or compliance with campus policies be compromised?
Data Protection Level
Once we know the potential adverse impact of a data compromise, we can classify that data into a protection level. At Berkeley, data falls into one of four protection levels (0-3).
Protection Level 0 is reserved for data that would cause no (or limited) adverse impact to the campus if made public. Directory data and other public information such as course listings fall into Protection Level 0. (Note: Protection Level 0 does NOT include directory information about students who have requested not to release their information. This option is listed in BearFacts, and should be checked before releasing directory information unless the students have given specific permission.)
Moving one step up the classification ladder, Protection Level 1 requires more protections and imposes limits on sharing because the loss of confidentiality or integrity of this data would result in a moderate adverse impact to the campus.
To protect personal privacy, information about individuals is classified as Protection Level 1 unless it is otherwise classified as level 0, 2 or 3. Student data examples include transcripts, grades, exam papers, test scores, course enrollment, and evaluations. Similarly, staff and academic personnel records fall in protection level 1 unless identified in other categories. Other information (not about individuals) that is not intended for public consumption may also be protection level 1 data. While Protection Level 1 data or higher is not intended for public release it may still be subject to public record, litigation or other legal disclosure requests.
Protection Level 2 (high adverse impact) data includes “notice-triggering” data for which law imposes costly requirements if disclosed inappropriately. This data should not be stored unless it is absolutely required and carefully protected:
- Social Security Number
- Driver's license number or California Identification Card number
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account (Note: Billing and Payment Services approval is required to handle credit card transactions.)
- Personal medical information
- Personal health insurance information
Protection Level 3 is required in select instances of potential extreme adverse impact, such as systems that manage credentials for multiple unrelated but sensitive systems.
Most faculty and staff work with Protection Level 1 data at least. You may also handle Protection Level 2 data if you handle personnel, health or financial-related transactions. Please review the Berkeley Data Classification Standard to familiarize yourself with campus classification principles and how they apply to the different types of data you commonly use. If you have questions about data classification, contact the data or system proprietor (that is, the individual who is functionally responsible for the data or system) or send email to email@example.com.
What next? Protection Profiles
Once you know the protection level of data you handle, it's necessary to understand and implement the controls that are required to safeguard it. In addition to the different degrees of risk indicated by data protection levels 0-3, different device types and different data quantities and uses also impact risk, and thus warrant different protections. The Minimum Security Standards for Electronic Information (MSSEI) defines the minimum set of controls (or the “baseline protection profile”) required for different combinations of data protection level and device/use type.
By default, all employee workstations (including laptops, tablets and smartphones) issued by the University are categorized, at a minimum, as “individual” protection level 1 devices and must meet the associated protection profile.
If you work with level 2 data or have “privileged access” (e.g., administrator, root, superuser) to systems, additional controls are required. “Institutional” servers also have their required protection profiles. These are defined in MSSEI.
What do I need to do?
- Adhere to the Top 10 Secure Computing Tips for your workstations, laptops, tablets or smartphones, etc. The person who sets up and manages your device (you or campus IT staff) needs to follow additional MSSEI requirements to make sure the device is configured correctly.
- Identify the data protection level (0-3) of the information you use and make sure to use appropriate systems for each type of data. (e.g., bMail and Box are not intended to handle level 2 data.)
- Recognize the protection level 2 data types that require extra security protections, and raise a red flag if you encounter them outside of processes or systems meant for level 2 data.
- Ask for assistance if you have questions about your responsibilities for protecting Berkeley data. Contact your supervisor, department IT staff or email firstname.lastname@example.org.
Everyone plays a vital role in protecting Berkeley Campus data. Thank you for doing your part.