Summary
Environment
VCU Data Classification Tool
Solution
How Do I Classify Data?
What Is Data Classification?
"All Data is Not Created Equal..."
When it comes to the security of information, there is no "one size fits all" protection. Different types of data should be secured in different ways. Imagine if your work or school e-mail address was subject to the same security requirements as your social security number. It would be incredibly difficult for people to contact you, even for legitimate business.
The act of classifying data, contrary to what we might have seen on the silver screen, simply means putting the data into a category based on its sensitivity. The following questions must be answered for successful classification:
- Who owns the data?
- Who should have access to the data?
- How should such access be granted or revoked?
- What precautions must be taken, ensuring that only authorized individuals can access the data?
Different systems are used at the University, across the Commonwealth of Virginia, throughout our nation, and around the globe. The classification of data always originates from the owner. In essence, data owned by the United States federal government must use the classification scheme relevant there. Data held by the University must use our classification processes, which generally work in tandem with those of the Commonwealth of Virginia.
Once you have determined who owns particular data, you may use this online tool to help you determine the data category, and obtain general information on how the data is handled. Please note that this tool is for informational purposes only. It is not intended to replace official policies, laws, or to provide legal advice.
1) Classify your data - VCU Data Classification Tool
This tool applies to data generated, collected, processed, transmitted, or otherwise handled by the University for its academic, research, community engagement, and administrative functions and any third-party data used by University personnel for university-related business. Depending on the type of data, the tool will determine the sensitivity classification—Category I, Category II, or Category III.
Category I Information/Data:
Information protected under federal, state or industry regulations and / or other civil statutes, where if lost may require breach notification and cause potential regulatory sanctions, fines and damages to the institution’s mission and reputation (Confidential and Regulated data).
Category II Information/Data:
All proprietary information that if improperly released has the potential to cause harm to the institution, its mission or its reputation, but do not require breach notifications, and security or privacy of such data is not regulated or required by law or contract. Such data includes proprietary and properly de-identified research information, business related email or other communication records, financial information, employee performance records, operational documentations, contractual information, intellectual property, internal memorandums, salary information, and all other information releasable in accordance with the Virginia Freedom of Information Act (Code of Virginia 2.2-3700). (Sensitive data)
Category III Information/Data:
All non-proprietary data that is considered publicly available for unrestricted use and disclosure, where if lost or illegitimately modified, these data will generate no negative impacts to individual departments, schools, colleges, or the institution as a whole. Such information is available to all members of the university community and to all individuals and entities external to the University community. Such data can make up public website information, public press release, public marketing information, directory information, and public research information. (Public Data/Information)
2) Storage Options - Data Management System
After you have determined the classification of your data using the tool mentioned above, use the Data Management System (DMS). DMS is an educational tool that assists you in finding the service allowability of data storage, network, transmission, and processing.