Have you ever copied a work file to your USB drive at the end of the day and wondered, "Is it safe to copy this data here?" Have you ever sent an email with a Social Security Number, a credit card number or student grades and wondered "Should I send this in email?"
You are not alone in asking these questions. Every day data—some of it very sensitive—flows across systems, is transferred from one device to another, is copied, stored, and deleted. We need to ask ourselves these questions. But, more importantly, we need to know the answers. Protecting the confidentiality and integrity of Berkeley Campus Data is everyone's business.
Why Classify Data?
Data classification helps identify appropriate levels of information sharing and information security. Different types of information present various risks and therefore require different protections. Some information is protected by law and has the potential to cause damage if accessed inappropriately.
When classifying data at Berkeley we ask the following questions:
- What would be the adverse impact to the campus if the integrity or confidentiality of this data were compromised
- Would critical campus operations be interrupted?
- Would the campus lose money?
- Would our reputation be impacted?
- Would there be legal ramifications that could, in turn, require expensive corrective actions?
- Would the campus mission or compliance with campus policies be compromised?
Data Protection Level
Once we know the potential adverse impact of a data compromise, we can classify that data into a Protection Level. At Berkeley, data falls into one of four Protection Levels (P1-P4). Most faculty and staff work with P2 data at least. You may also handle P3 data if you handle personnel, health or financial-related transactions.
Please review the Berkeley Data Classification Standard to familiarize yourself with campus classification principles and how they apply to the different types of data you commonly use.
Protection Level 1 is reserved for data that would cause no (or minimal) adverse impact to the campus if made public. Directory data and other public information such as course listings fall into UC P1. (Note: Protection Level 1 does NOT include directory information about students who have requested not to release their information. This option is listed in BearFacts, and should be checked before releasing directory information unless the students have given specific permission.)
Protection Level 2 requires more protections and imposes limits on sharing because the loss of confidentiality or integrity of this data would result in a low adverse impact to the campus.
To protect personal privacy, information about individuals is classified as Protection Level 2 (P2) unless it is otherwise classified as level P1, P3 or P4. Student data examples include transcripts, grades, exam papers, test scores, course enrollment, and evaluations. Similarly, staff and academic personnel records fall in P2 unless identified in other categories. Other information (not about individuals) that is not intended for public consumption may also be P2 data. While P2 data or higher is not intended for public release it may still be subject to public record, litigation or other legal disclosure requests.
Protection Level 3 (moderate adverse impact) data whose unauthorized use, access, disclosure, modification, loss or deletion could result in moderate harm or damage. A few examples include:
- Personally identifiable information not already classified as P4
- FERPA-Protected Student Records (including Student ID) not containing P4 information
- Staff and academic Personnel Records (including Employee ID) not containing P4 information
Protection Level 4 (high adverse impact) data includes “notice-triggering” data and "shared-fate" data and system for which law imposes costly requirements if disclosed inappropriately. This data should not be stored unless it is absolutely required and carefully protected. A few examples include:
- Government Issued Identification numbers including: Social Security number, Driver's license number, Passport number, etc.
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account (Note: Billing and Payment Services approval is required to handle credit card transactions.)
- Personal medical and/or health insurance information
- Biometric data used for authentication purposes
If you have questions about data classification, contact the data or system proprietor (that is, the individual who is functionally responsible for the data or system) or send email to email@example.com.
What next? Protection Profiles
Once you know the protection level of data you handle, it's necessary to understand and implement the controls that are required to safeguard it. In addition to the different degrees of risk indicated by data protection levels P1-P4, different device types and different data quantities and uses also impact risk, and thus warrant different protections. The Minimum Security Standards for Electronic Information (MSSEI) defines the minimum set of controls (or the “baseline protection profile”) required for different combinations of data protection level and device/use type.
By default, all employee workstations (including laptops, tablets and smartphones) issued by the University are categorized, at a minimum, as “individual” P2 devices and must meet the associated protection profile.
If you work with P3 data or have “privileged access” (e.g., administrator, root, superuser) to systems, additional controls are required. “Institutional” servers also have their required protection profiles. These are defined in MSSEI.
What do I need to do?
- Adhere to the Top 10 Secure Computing Tips for your workstations, laptops, tablets or smartphones, etc. The person who sets up and manages your device (you or campus IT staff) needs to follow additional MSSEI requirements to make sure the device is configured correctly.
- Identify thedata protection level (P1-P4) of the information you use and make sure to use appropriate systems for each type of data. (e.g., bMail and Box are not intended to handle P3 data.)
- Recognize the protection level 3 data types that require extra security protections, and raise a red flag if you encounter them outside of processes or systems meant for P3 data.
- Ask for assistance if you have questions about your responsibilities for protecting Berkeley data. Contact your supervisor, department IT staff or email firstname.lastname@example.org
Everyone plays a vital role in protecting Berkeley Campus data. Thank you for doing your part!