The UC Berkeley Data and IT Resource Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security (UC BFB IS-3), and in the Campus Cyber-risk Responsible Executive (CRE) by the UC Business and Finance Bulletin IS-12, IT Recovery (UC BFB IS-12).
Issue Date: November 7, 2019 (version 2); revised June 13, 2024. Originally issued July 16, 2012 (version 1)
Effective Date: November 7, 2020 for Protection Levels; July 1, 2022 for Availability Levels; December 31, 2024 for Recovery Levels.
Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: Information Security Office
Contact: Information Security Policy Manager, security-policy@berkeley.edu
Version 2.1
I. Overview
The UC Berkeley Data and IT Resource Classification Standard is UC Berkeley’s implementation of the UC Systemwide Institutional Information and IT Resource Classification Standard, and Recovery Level classification from IS-12.
UC BFB IS-3 establishes that all Institutional Information and IT Resources must be protected according to their Protection (P) Level and Availability (A) Level classifications. This Standard is a framework for assessing the adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. It provides the foundation for establishing security requirements for each classification level.
UC BFB IS-12 establishes Recovery Level (RL) to guide IT Recovery planning and preparation for IT Resources. At UC Berkeley, Recovery Level classification is required for non-research IT Infrastructure and Services to which IS-12 applies.
Summary definitions and examples are included in the classification tables below. Full definitions and additional examples for Protection Level and Availability Level are available in the UC Systemwide Classification Standard and Guides. Additional, UC Berkeley-specific guidance is available in the Campus Data and IT Resource Classification Guideline. See IS-12 and the Campuswide IT Recovery Implementation website for Recovery Level classification guidance beyond the information in this Standard.
II. Scope
The Berkeley Data and IT Resource Classification Standard covers UC Berkeley Institutional Information and IT Resources. This Standard does not apply to Individually-Owned Data, which is defined as an individual’s own personal information that is not considered Institutional Information
Note: Classification does not alter public information access requirements. California Public Records Act or Federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.
III. Definitions
Definitions of Key Terms (capitalized and italicized) used in this Standard are included in UC Berkeley’s Information Security Policy Glossary
IV. Classification Levels
Business Impact
Considerations for evaluating potential adverse impact to UC Berkeley due to loss of data or resource confidentiality, integrity, or availability include:
- Loss of critical Campus operations
- Negative financial impact (money lost, lost opportunities, value of the data)
- Damage to the reputation of the Institution
- Risk of harm to individuals (such as in the case of a breach of personal information)
- Potential for regulatory or legal action
- Requirement for corrective actions or repairs
- Violation of University of California or UC Berkeley mission, policy, or principles
Protection Level Classification Table
Proprietors may raise Protection Levels for a specific use case. An exception is required to lower a published Protection Level. Please contact the Information Security Office if an item below appears to be misclassified, or if you are unable to determine a Protection Level.
Classification | Adverse Business Impact | Definition | Examples (not an exhaustive list) May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions. |
Protection (formerly UCB PL2 and PL3) |
High |
Institutional Information and related IT Resources that require notification to affected parties in case of a confidentiality breach. This category also includes data and systems that create extensive "Shared-Fate" risk, where a compromise would cause further and extensive compromise among multiple (even unrelated) sensitive systems. Unauthorized disclosure or modification of P4 data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations. There is also an inherent significant risk to UC reputation and business continuity, along with harm or impairment to UC students, patients, research subjects, employees, or guests/program participants. |
|
Protection (formerly UCB PL1) |
Moderate |
Institutional Information and IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate fines, penalties, or civil actions. This classification level also includes lower risk items that, when combined, represent an increased risk. Unauthorized disclosure or modification of P3 data or resources could result in legal action, harm the privacy of a group, cause moderate financial loss, or contribute to reputational damage. |
|
Protection (formerly UCB PL0 and PL1) |
Low |
Institutional Information and IT Resources that may not be explicitly protected by statutes or other contractual regulations, but are not commonly intended for public use or access and should only be accessed on a need-to-know basis. Unauthorized disclosure or modification of P2 data could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group. |
|
Protection (formerly UCB PL0) |
Minimal |
Information intended for public access, but whose integrity is important. For P1, unauthorized modification is the primary protection concern. The application of minimum security requirements is sufficient. |
|
Availability Level Classification Table
Proprietors may raise or lower the Availability Level based on use case. An exception is not required for Availability Level changes. Please contact the Information Security Office if an item below appears to be misclassified, or if you are unable to determine an Availability Level.
Classification | Adverse Business Impact | Definition | Examples (not an exhaustive list) May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions. |
Availability Level A4 |
High |
Definition: Loss of Availability would have a significant business impact to the Campus, a Campus Unit, and/or essential services. It may also cause serious financial losses. IT Resources that are required to be available by statutory, regulatory and/or legal obligations fall into this risk level. Critical IT Infrastructure also falls into this category. |
|
Availability |
Moderate |
Definition: Loss of availability would result in moderate financial losses and/or reduced customer service. |
|
Availability Level A2 |
Low |
Definition: Loss of availability may cause minor losses or inefficiencies. |
|
Availability Level A1 |
Minimal |
Definition: Loss of availability poses minimal impact or financial loss. |
|
Recovery Level Classification Table
Recovery Levels are identified in partnership between the IT Resource Proprietor(s) and the Service Provider, and are based on the functional requirements of the service. For questions about the interpretation of IS-12 or the application of Recovery Levels at UC Berkeley, please visit the Campuswide IT Recovery Implementation website.
V. Additional Information
Statutory Requirement for Notification
See definition in UC Berkeley’s Information Security Policy Glossary
The following registration and approval requirements apply to information with a statutory requirement for notification (“Notice-Triggering” information):
- Campus Credit Card Coordinator approval is required to handle credit card transactions.
- Storage, transmission or use of Notice-Triggering data requires registration in the campus asset registration portal.
VI. Responsibilities
The following roles have key responsibilities related to this Standard. Details are available in UC Berkeley’s Roles and Responsibilities Policy unless otherwise noted
- Institutional Information and IT Resource Proprietors
- Researchers
- Service Providers
- Unit Heads
- Unit Information Security Lead
- Unit IT Recovery Leads (applies to Recovery Level only - see IS-12, Sec. V, for details)
- Workforce Members
VII. Related Documents and Policies
- Data and IT Resource Classification Guideline
- Classification handouts for Protection Levels and Availability Levels
- Allowable Protection Levels for bCourses, Box, CalShare, and Google
- Allowable Protection Levels for use with generative AI tools (rapidly evolving)
- UC BFB-IS-3: Electronic Information Security
- UC BFB IS-12, IT Recovery
- UC Institutional Information and IT Resource Classification Standard and Guides
- UCB Minimum Security Standards for Electronic Information (MSSEI)
- Campus data registration portal
- How to Classify Research Data
Change Log
- July 16, 2012 - version 1: Original issue date
- Apr. 22, 2013: Administrative revision
- Nov. 7, 2019 - version 2: Major revision to align with UC systemwide Classification Standard approved by Information Risk Governance Committee
- Nov. 27, 2019: Clarification on passport data classification added
- Dec. 12, 2019: Clarification on P2 de-identified human subject or patient information added
- Jan. 20, 2020: Clarification on P4 human subject and human genetic information added; clarification on P4 and P3 export controlled data or technology added
- Jan. 23, 2020: Update to the P4 "notice-triggering data" list to reflect changes in California law
- Mar. 5, 2020: Clarification on P4 financial, accounting, and payroll systems; P3 Individually identifiable location data; and P4 Passwords, PINs and passphrases added
- Mar. 23, 2020: Clarification on A4 examples; moved "Campus time reporting system" from A3 to A4
- Jul. 6, 2020: Clarified protection level of P3 and P4 human genomic data
- Oct. 7, 2020: Clarified that UCPath Employee ID is P2, not P3
- Dec. 2, 2020: Added information about when Proprietors are able to raise and lower published classification levels for a specific use case.
- Jan. 29, 2021: Updated effective date for Availability Levels.
- Apr. 11, 2021: Clarified that either the IRB or Campus Privacy Office can determine whether human subject data is "high risk".
- Jul. 28, 2022: Updated P3 examples for personally identifiable information, FERPA-protected student records, security camera recordings, and animal research data.
- Jun. 13, 2024 - version 2.1: Added Recovery Level from UC Business and Finance Bulletin IS-12, IT Recovery (UC BFB IS-12). Effective date is based on the Campuswide IT Recovery Implementation Plan. Update approved by Information Risk Governance Committee.
- Dec 13, 2024: Added bCourses and BCS/SIS to RL2 and RL3 examples, respectively.