To apply security measures in the most appropriate and cost-effective manner, data (regardless of format) must be evaluated and assigned a Data Classification Level (DCL). The DCL of the data establishes the extent and type of information security measures that must be implemented. 

The security requirements set forth are high-level requirements that establish the minimum standards that must be followed for each DCL. 

Exceptions & Other Considerations  

Exceptions to the standards may be required due to budget, functional or technology limitations. Exceptions must be approved and documented by the Information Security Office at each business unit. 

Exceptions also must be eliminated as soon as is reasonably possible. 

The value or criticality of the information asset must also be considered when assigning a DCL. For example, a system may hold data that is only classified as DCL1 but concerns about data integrity or the value of the asset to the University may justify managing the asset at a higher DCL. 

The primary public website for each business unit might be an example of this situation. Data custodians and data stewards should work together to classify and manage the information assets for which they are responsible, based on a thorough understanding of each asset's overall value. 

Data Classification

Data classification at the ǿմý is the categorization of data according to its importance, sensitivity and potential for misuse. 

We use data classification to help select appropriate security controls for storing, processing, transferring and sharing data.  

The University has created a classification system that divides data into four levels: 

  • Data Classification Level 1: Public 
  • Data Classification Level 2: Sensitive (Internal) 
  • Data Classification Level 3: Restricted 
  • Data Classification Level 4: Highly Restricted 

Information security and IT compliance will assist in determining the appropriate classification for your data. They also review tools and services to help protect the confidentiality, integrity and availability of our information assets. 

Data Classification Level 1: Public 

Information intended and released for public use. The University intentionally provides this information to the public. 

Examples: 

  • Published research 
  • Course catalogs 
  • Published faculty and staff information 
  • Job postings 
  • Name, employment dates, job title and work address/phone/email 
  • Student directory information* 
  • Basic emergency response plans 
  • University-wide policies 
  • Publications 
  • Press releases 
  • Published marketing materials 
  • Regulatory and legal filings 
  • Published annual reports 
  • Code contributed to Open Source 
  • Released patents 
  • Plans of public spaces 

*Directory information about students who have requested FERPA blocks must be classified and handled as DCL3. 

Data Classification Level 2: Sensitive (Internal) 

Information that is intended to only be shared within the UM System community. Sensitive data or information that is not openly shared with the public but is not specifically required to be protected by statute, regulation or policy. Unauthorized disclosure of this information could adversely impact the University, individuals or affiliates.  

Examples: 

  • Budget and salary information 
  • Employee ID 
  • Cell phone numbers 
  • Departmental policies and procedures 
  • Internal memos 
  • Incomplete or unpublished research 
  • Faculty degrees and certificates 
  • Employee web/intranet portals 
  • UM training materials 
  • Pre-release articles 
  • Drafts of research papers 
  • Work papers 
  • Patent applications 
  • Grant applications 
  • Non-public building plans or layouts 
  • Non-confidential administrative survey data 
  • De-identified Research Data (Non-clinical) 

Data Classification Level 3: Restricted 

Confidential business or personal information, intended only for those with a “business need to know.” There are often general statutory, regulatory or contractual requirements that require protection of the data. It is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data.  

Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates. 

Examples: 

  • Non-directory student information 
  • Personally identifiable information (PII) such as name, birthdate, address, phone number, email, etc., where the information is held in combination and could lead to identity theft or other misuse 
  • Certain research (e.g. proprietary or otherwise protected) 
  • Performance records 
  • Gender 
  • Ethnicity 
  • Race 
  • Citizenship 
  • Visa/immigration status 
  • Disability 
  • ADA accommodations 
  • Non-published faculty and staff information 
  • Personnel records* 
  • Donor information 
  • Non-public legal work and litigation information 
  • Budget /financial transactions information 
  • Non-public financial statements 
  • Information specified as confidential by vendor contracts and NDAs 
  • Information specified as confidential by Data Use Agreements 
  • General security findings or reports 
  • Most UM source code 
  • Non-security technical specifications/architecture schema 
  • Library/museum object valuations 
  • IRB records 
  • Sensitive administrative survey data 
  • Course feedback, especially if free text response is permitted 
  • De-identified health or medical information 
  • De-identified Clinical Research Data 
  • Partial Social Security Number (Last four digits) 

*Employees have the right to discuss terms and conditions of their own employment, including salary and benefits, with each other or with third parties. 

Data Classification Level 4: Highly Restricted 

High-risk information that requires strict controls. There are often governing statutes, regulations or standards with specific provisions that dictate how this type of data must be protected. It is intended for a very limited use and must not be disclosed except to those who have explicit authorization to view or use the data. Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates. 

Examples: 

  • Passwords and PINs 
  • System credentials 
  • Private encryption keys 
  • Government issued identifiers 
  • Passport number or picture 
  • Driver’s license information or picture 
  • Full Social Security Numbers (SSNs) 
  • Individually identifiable financial account information (e.g. bank account, credit or debit card numbers) 
  • Individually identifiable health or medical information 
  • Individually identifiable research data 
  • Details of significant security exposures (e.g. vulnerability assessment and penetration test results) 
  • Security system procedures and architectures 
  • Trade secrets 
  • Systems managing critical Operational Technology 
  • Biometric Data 
  • E-Commerce 
  • Export Controlled Data 
  • National Security Interest (NSI) 
  • Protected Health Information (PHI) 
  • Controlled Unclassified Information (CUI) 

See the minimum security requirements that must be followed for each DCL for mobile devices (phones and tablets)

See the minimum security requirements that must be followed for portable storage devices

See the minimum security requirements that must be followed for each DCL. These requirements also apply to 3rd party provided or hosted applications and systems. 

See the minimum security requirements that must be followed for each DCL for workstations (desktops and laptops)