Have you ever copied a work file to your USB drive or home computer at the end of the day and wondered, "Is it safe to copy this data 
here?" Have you ever sent an email with a Social Security Number, a credit card number or student grades and wondered "Should I send this in email?"
You are not alone in asking these questions. Every day, data—some of it very sensitive—flows across systems, is transferred from one device to another, is copied, stored, and deleted. We need to ask ourselves these questions. But, more importantly, we need to know the answers. Protecting the confidentiality and integrity of Berkeley Campus Data is everyone's business.
Why Classify Data?
Data classification helps identify appropriate levels of information sharing and information security. Different types of information present various risks and therefore require different protections. Some information is protected by law and has the potential to cause damage if accessed inappropriately.
When classifying data at Berkeley we ask the following questions:
- What would be the adverse impact to the campus if the integrity or confidentiality of this data were compromised
- Would critical campus operations be interrupted?
- Would the campus lose money?
- Would our reputation be impacted?
- Would there be a risk of harm to individuals (such as in the case of a breach of personal information)
- Would there be legal ramifications that could, in turn, require expensive corrective actions?
- Would the campus mission or compliance with campus policies be compromised?
Data Protection Level
Once we know the potential adverse impact of a data compromise, we can classify that data into a Protection Level. At Berkeley, data falls into one of four Protection Levels (P1-P4). Most faculty and staff work with P2 data at least, and many work with more sensitive P3 and P4 level data.
Please review the Berkeley Data Classification Standard and/or Guidelines to familiarize yourself with campus classification principles and how they apply to the different types of data you commonly use. Brief summaries of the classifiation levels are below.
Protection Level P1 is reserved for data that would cause no (or minimal) adverse impact to the campus if made public, such as course listings fall, press releases, and published research.
Protection Level P2 requires more protections and imposes limits on sharing because the loss of confidentiality or integrity of this data would result in a low adverse impact to the campus. A few examples include:
- Public Directory Information for faculty, staff, and students who have not requested a FERPA block
- Fully de-identified human subject or patient information
- UC Path Employee ID
- Other information (not about individuals) that is not intended for public consumption may also be P2 data.
Protection Level P3 (moderate adverse impact) data whose unauthorized use, access, disclosure, modification, loss or deletion could result in moderate harm or damage. A few examples include:
- Most personally identifiable information not specifically classified as P2 or P4
- FERPA-Protected Student Records not containing P4 information. Examples include student ID, transcripts, grades, exam papers, test scores, course enrollment, and evaluations.
- Staff and academic Personnel Records (including Employee ID) not containing P4 information
- Individually identifiable location data
Protection Level P4 (high adverse impact) data includes “notice-triggering” data and "shared-fate" data and systems for which law imposes costly requirements if disclosed inappropriately. This data should not be stored unless it is absolutely required, and if required, only in a location specifically protected and approved for its storage. A few examples include:
- Government Issued Identification numbers including: Social Security number, Driver's license number, Passport number, etc.
- Financial account numbers, credit or debit card number (Note: The Campus Credit Card Coordinator's approval is required to handle credit card transactions.)
- Personal medical and/or health insurance information
- Biometric data used for authentication purposes
-
Passwords, PINs, passphrases, and private keys
If you have questions about data classification, contact the data or system proprietor (that is, the individual who is functionally responsible for the data or system) or send email to security@berkeley.edu.
What next? Protection Profiles
Once you know the protection level of data you handle, it's necessary to understand and implement the controls that are required to safeguard it. In addition to the different degrees of risk indicated by data protection levels P1-P4, different device types and different data quantities and uses also impact risk, and thus warrant different protections. The Minimum Security Standards for Electronic Information (MSSEI) defines the minimum set of controls (or the “baseline protection profile”) required for different combinations of data protection level and device/use type.
By default, all employee workstations (including laptops, tablets and smartphones) issued by the University are categorized, at a minimum, as “individual” P2 devices and must meet the associated protection profile.
If you work with P3 or P4 data or have “privileged access” (e.g., administrator, root, superuser) to systems, additional protections are required. “IT Infrastructure" such servers also have their required protection profiles. These are all defined in MSSEI.
What do I need to do?
- Adhere to the Top 10 Secure Computing Tips for your workstations, laptops, tablets or smartphones, etc. The person who sets up and manages your device (you or campus IT staff) needs to follow additional MSSEI requirements to make sure the device is configured correctly.
- Identify the data protection level (P1-P4) of the information you use and make sure to use appropriate systems for each type of data. (E.g., bMail, bDrive, and Box are not approved to handle P4 data.)
- Recognize the protection level P3 and P4 data types that require extra security protections, and raise a red flag if you encounter them outside of processes or systems meant for P3 or P4 data.
- Ask for assistance if you have questions about your responsibilities for protecting Berkeley data. Contact your supervisor, department IT staff or email security@berkeley.edu
Everyone plays a vital role in protecting Berkeley Campus data. Thank you for doing your part!