Data and IT Resource Classification Standard

The UC Berkeley Data and IT Resource Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security (UC BFB IS-3), and in the Campus Cyber-risk Responsible Executive (CRE) by the UC Business and Finance Bulletin IS-12, IT Recovery (UC BFB IS-12).

Issue Date: November 7, 2019 (version 2); revised June 13, 2024. Originally issued July 16, 2012 (version 1)
Effective Date: November 7, 2020 for Protection Levels; July 1, 2022 for Availability Levels; December 31, 2024 for Recovery Levels.

Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: Information Security Office
Contact: Information Security Policy Manager, security-policy@berkeley.edu

Table of Contents:

I. Overview

II. Scope

III. Definitions

IV. Classification Levels

V. Additional Information

VI. Responsibilities

VII. Related Documents and Policies

Version 2.1

I. Overview

The UC Berkeley Data and IT Resource Classification Standard is UC Berkeley’s implementation of the UC Systemwide Institutional Information and IT Resource Classification Standard, and Recovery Level classification from IS-12. 

UC BFB IS-3 establishes that all Institutional Information and IT Resources must be protected according to their Protection (P) Level and Availability (A) Level classifications. This Standard is a framework for assessing the adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. It provides the foundation for establishing security requirements for each classification level.

UC BFB IS-12 establishes Recovery Level (RL) to guide IT Recovery planning and preparation for IT Resources. At UC Berkeley, Recovery Level classification is required for non-research IT Infrastructure and Services to which IS-12 applies.

Summary definitions and examples are included in the classification tables below. Full definitions and additional examples for Protection Level and Availability Level are available in the UC Systemwide Classification Standard and Guides. Additional, UC Berkeley-specific guidance is available in the Campus Data and IT Resource Classification Guideline. See IS-12 and the Campuswide IT Recovery Implementation website for Recovery Level classification guidance beyond the information in this Standard.

II. Scope

The Berkeley Data and IT Resource Classification Standard covers UC Berkeley Institutional Information and IT Resources. This Standard does not apply to Individually-Owned Data, which is defined as an individual’s own personal information that is not considered Institutional Information

Note: Classification does not alter public information access requirements. California Public Records Act or Federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.

III. Definitions

Definitions of Key Terms (capitalized and italicized) used in this Standard are included in UC Berkeley’s Information Security Policy Glossary

IV. Classification Levels

Business Impact

Considerations for evaluating potential adverse impact to UC Berkeley due to loss of data or resource confidentiality, integrity, or availability include:

  • Loss of critical Campus operations
  • Negative financial impact (money lost, lost opportunities, value of the data)
  • Damage to the reputation of the Institution
  • Risk of harm to individuals (such as in the case of a breach of personal information)
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs
  • Violation of University of California or UC Berkeley mission, policy, or principles

Protection Level Classification Table

Proprietors may raise Protection Levels for a specific use case. An exception is required to lower a published Protection Level. Please contact the Information Security Office if an item below appears to be misclassified, or if you are unable to determine a Protection Level.

Classification Adverse Business Impact Definition Examples (not an exhaustive list) 
May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions.

Protection 
Level P4

(formerly UCB PL2 and PL3)

High

Institutional Information and related IT Resources that require notification to affected parties in case of a confidentiality breach. This category also includes data and systems that create extensive "Shared-Fate" risk, where a compromise would cause further and extensive compromise among multiple (even unrelated) sensitive systems.

Unauthorized disclosure or modification of P4 data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations. There is also an inherent significant risk to UC reputation and business continuity, along with harm or impairment to UC students, patients, research subjects, employees, or guests/program participants.

  • Data or systems that create extensive "Shared-Fate" risk between multiple sensitive systems, e.g., enterprise credential stores such as the CalNet credential database; Domain Name Service (DNS). This can include both campuswide and unit-level systems. 
  • Data elements with a Statutory Requirement for Notification to affected parties in case of a confidentiality breach, such as:
    • Government issued identification numbers:
      • Social Security number (SSN), Driver's license number, California ID card number, Tax ID number, passport number, military ID number, other government-issued ID numbers
    • Financial account numbers, credit or debit card numbers and financial account security codes, access codes, or passwords
    • Personal medical information, including protected health information (PHI) covered under HIPAA 
    • Personal health insurance information
    • Biometric data used for authentication purposes, including facial recognition
    • A username or email address, in combination with a password or security question and answer that would permit access to an online account
    • Genetic data as defined by California AB-825 (effective 1/1/2022)

  • General Data Protection Regulation (GDPR) "special categories" of identifiers (Article 9).
  • Passwords, PINs and passphrases, or other authentication secrets that can be used to access P4 information or to manage P4 IT Resources 
  • Federal Controlled Unclassified Information (CUI)
  • Personally Identifiable information about loans (including student loans), federally funded student financial aid, and any other financial aid that requires repayment

  • Official financial, accounting, and payroll systems of record and authoritative source systems; also systems that handle and process financial transactions, and the account codes, account numbers, PINs, etc. necessary to make the transactions 
  • Individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) or Campus Privacy Office determines is high risk/P4
  • Human genomic data subject to GDPR or HIPAA (regardless of de-identification status)
  • High risk export controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR). Contact the Export Control Office for a determination.
  • Industrial Control Systems affecting life and safety
  • individually identifiable criminal background check information

Protection 
Level P3

(formerly UCB PL1)

Moderate

Institutional Information and IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate fines, penalties, or civil actions. This classification level also includes lower risk items that, when combined, represent an increased risk. 

Unauthorized disclosure or modification of P3 data or resources could result in legal action, harm the privacy of a group, cause moderate financial loss, or contribute to reputational damage.

  • 500 or more records of personally identifiable information not specifically classified elsewhere in this Standard
  • Personal information as defined in the European General Data Protection Regulation (GDPR) or China’s Personal Information Protection Law (PIPL) regardless of record count. Must not include GDPR "special categories" of identifiers (Article 9) - see P4 section
  • FERPA-Protected Student Records not containing P4 information. Does not include: 
    • P2 Public Directory Information
    • Student IDs with no additional identifying or FERPA-protected information -OR- student email addresses with no additional identifying or FERPA-protected information

  • Security camera recordings, body-worn video system recordings, and cameras recording cash handling or payment card handling areas
  • Building entry records
  • Individually identifiable location data that tracks an individual's movement or building/room-level location
  • Animal research protocols, and data related to animal researchers and members of the Animal Research Committee 
  • Attorney-Client Privileged Information
  • Individually identifiable human subject research data not containing P4 data elements and that the IRB or Campus Privacy Office have not determined is high risk. This includes human genomic data that can be re-identified using publicly available data.
  • Low risk export controlled data or technology (EAR/ITAR). Contact the Export Control Office for a determination.
  • IT security information, exception requests and system security plans
  • Staff and academic Personnel Records not containing P4 information. Does not include P2 Public Directory Information
  • Medical devices supporting diagnostics (not containing P4 information)
  • Industrial control systems affecting operations

Protection 
Level P2

(formerly UCB PL0 and PL1)

Low

Institutional Information and IT Resources that may not be explicitly protected by statutes or other contractual regulations, but are not commonly intended for public use or access and should only be accessed on a need-to-know basis. 

Unauthorized disclosure or modification of P2 data could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group.

  • Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4
  • Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions
  • De-identified human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements) that the IRB or Campus Privacy Office have not determined is considered P3 or P4

  • Routine email and business records not containing P3 or P4 information
  • Exams (questions and answers)
  • Calendar information not containing P3 or P4 information
  • Meeting notes not containing P3 or P4 information
  • Non-public research using publicly available data
  • UCPath Employee ID
  • Public Directory Information for faculty, staff, and students who have not requested a FERPA block
  • Licensed software/software license keys
  • Library paid subscription electronic resources

Protection 
Level P1

(formerly UCB PL0)

Minimal

Information intended for public access, but whose integrity is important. For P1, unauthorized modification is the primary protection concern. The application of minimum security requirements is sufficient.

  • Public-facing informational websites
  • Course listings and prerequisites
  • Public event calendars
  • Hours of operation
  • Parking regulations
  • Press releases
  • Published research

Availability Level Classification Table

Proprietors may raise or lower the Availability Level based on use case. An exception is not required for Availability Level changes. Please contact the Information Security Office if an item below appears to be misclassified, or if you are unable to determine an Availability Level.

Classification Adverse Business Impact Definition Examples (not an exhaustive list) 
May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions.
Availability 
Level A4
High

Definition: Loss of Availability would have a significant business impact to the Campus, a Campus Unit, and/or essential services. It may also cause serious financial losses. IT Resources that are required to be available by statutory, regulatory and/or legal obligations fall into this risk level. Critical IT Infrastructure also falls into this category.

  • Central Campus authentication systems
  • Student learning management system
  • Backup data systems for A4 resources
  • Central system management consoles
  • Core network services, e.g. DNS, border/core routing, and firewalls
  • Enterprise email 
  • Official financial, accounting, and payroll systems of record and authoritative source systems; also systems that handle and process financial transactions, and the account codes, account numbers, PINs, etc., necessary to make the transactions
  • Building access systems
  • Medical records system
  • IT infrastructure and industrial control systems affecting life and safety (e.g. emergency 911 location system)
  • Campus procurement system
  • Campus time reporting system

Availability
Level A3

Moderate

Definition: Loss of availability would result in moderate financial losses and/or reduced customer service.

  • Event ticketing systems
  • Point-of-sale (POS) systems
  • Issue tracking systems
  • Security logs
  • Building management systems
  • File servers supporting business operations
  • Operational knowledge base
  • Clinical trial management system
  • Medical devices supporting diagnostics
  • Industrial control systems affecting operations
  • Collaboration services such as calendaring, file sharing, code repositories
Availability
Level A2
Low

Definition: Loss of availability may cause minor losses or inefficiencies.

  • Departmental websites
  • Student life management system
  • Staff learning management system
  • Informational knowledge base
Availability 
Level A1
Minimal

Definition: Loss of availability poses minimal impact or financial loss.

  • Individual workstations, laptops, and other mobile devices
  • Public directory
  • Copy machines or printers

Recovery Level Classification Table

Recovery Levels are identified in partnership between the IT Resource Proprietor(s) and the Service Provider, and are based on the functional requirements of the service. For questions about the interpretation of IS-12 or the application of Recovery Levels at UC Berkeley, please visit the Campuswide IT Recovery Implementation website.

Classification Adverse Business Impact Definition Examples (not an exhaustive list) 
May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions.
Recovery 
Level R5
Very High

15 minutes

Core technology and infrastructure

Examples include: campus-wide authentication service, campus-wide key card access, campus-wide networking, Enterprise storage systems

Recovery 
Level R4
High

Up to 6 hours

Critical 1 - Life/safety/alternatives not sustainable

Examples include: VPN services, reporting platforms, CRM systems, animal life/safety, electronic medical record (EMR) system

Recovery
Level R3

Moderate

Up to 24 hours

Critical 2 - Alternatives sustainable up to 24 hours

Examples include: campus financial systems, HR systems, campus Zoom, campus website, Campus Solutions/Student Information Systems (BCS/SIS)

Recovery
Level R2
Low

Up to 5 days

Necessary

Examples include: Research storage systems, departmental informational websites, student learning management system (bCourses)

Recovery 
Level R1
Minimal

Up to 30 days

Deferrable

Examples include: productivity tracking tools (depending on use case), internal library staff applications, museum archives

V. Additional Information

Statutory Requirement for Notification

See definition in UC Berkeley’s Information Security Policy Glossary

The following registration and approval requirements apply to information with a statutory requirement for notification (“Notice-Triggering” information):

VI. Responsibilities

The following roles have key responsibilities related to this Standard. Details are available in UC Berkeley’s Roles and Responsibilities Policy unless otherwise noted

  • Institutional Information and IT Resource Proprietors
  • Researchers
  • Service Providers
  • Unit Heads
  • Unit Information Security Lead
  • Unit IT Recovery Leads (applies to Recovery Level only - see IS-12, Sec. V, for details)
  • Workforce Members

VII. Related Documents and Policies 


Change Log

  • July 16, 2012 - version 1: Original issue date
  • Apr. 22, 2013: Administrative revision 
  • Nov. 7, 2019 - version 2: Major revision to align with UC systemwide Classification Standard approved by Information Risk Governance Committee
  • Nov. 27, 2019: Clarification on passport data classification added
  • Dec. 12, 2019: Clarification on P2 de-identified human subject or patient information added
  • Jan. 20, 2020: Clarification on P4 human subject and human genetic information added; clarification on P4 and P3 export controlled data or technology added
  • Jan. 23, 2020: Update to the P4 "notice-triggering data" list to reflect changes in California law
  • Mar. 5, 2020: Clarification on P4 financial, accounting, and payroll systems; P3 Individually identifiable location data; and P4 Passwords, PINs and passphrases added
  • Mar. 23, 2020: Clarification on A4 examples; moved "Campus time reporting system" from A3 to A4
  • Jul. 6, 2020: Clarified protection level of P3 and P4 human genomic data
  • Oct. 7, 2020: Clarified that UCPath Employee ID is P2, not P3
  • Dec. 2, 2020: Added information about when Proprietors are able to raise and lower published classification levels for a specific use case.
  • Jan. 29, 2021: Updated effective date for Availability Levels.
  • Apr. 11, 2021: Clarified that either the IRB or Campus Privacy Office can determine whether human subject data is "high risk". 
  • Jul. 28, 2022: Updated P3 examples for personally identifiable information, FERPA-protected student records, security camera recordings, and animal research data. 
  • Jun. 13, 2024 - version 2.1: Added Recovery Level from UC Business and Finance Bulletin IS-12, IT Recovery (UC BFB IS-12). Effective date is based on the Campuswide IT Recovery Implementation Plan. Update approved by Information Risk Governance Committee.
  • Dec 13, 2024: Added bCourses and BCS/SIS to RL2 and RL3 examples, respectively.