Security Categorization (RA-2)

| Show Notes
Created August 15, 2016
Revised September 1, 2016

Description

Data classification provides a framework for managing data assets based on value and associated risks. It also guides the application of the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All data, whether electronic or printed, should be classified.

Applicability

This Control applies to all information resource owners, custodians, and users. It also applies to information resources storing University Data regardless of ownership of the particular storage device. Other federal, state, or contractual requirements may be more restrictive than the procedures specified in this Control (example: Classified National Security Information). In no situation can procedures regarding security of data be less restrictive than this control, regardless of the contract or agreement specifications.

Implementation

1

RESPONSIBILITIES

1.1

It is the responsibility of anyone (e.g., owner, custodian, user) having University Data in their possession or under their direct control (e.g., manages the storage device) to know the classification category of the data and to ensure the appropriate safeguards are in place. Anyone possessing confidential data, or who has such data under their direct control, shall ensure that appropriate risk mitigation measures are in place to protect the data from unauthorized exposure.

1.2

The University is responsible for defining all information classification categories except for "Confidential" and "Classified." The “Confidential” category is defined by state and federal law; and, the “Classified” category may be determined by contract and/or is information pursuant to U.S. Presidential Executive Orders 12356 and 13526. The owner of an information resource is responsible for determining the classification category for business function information. The final determination of classification categories may be subject to review by the office of the Vice President for Information Technology & Chief Information Officer as delegated by the University President.

2

PROCEDURES

2.1

University Data is to be classified as Confidential, Controlled, or Public. Texas A&M University owners of information resources (owners), or designees, shall identify (location and owner) and categorize data at least annually. For confidential, controlled, or mission critical categories, the location, category, and owner shall be documented. This should be accomplished in conjunction with the annual the risk assessment process (as described in the Information Security Risk Assessment Procedures (ISRAP)). The purpose of this identification and categorizing process is to determine the appropriate security controls needed to protect university data.

2.1.1

Confidential Data is information that must be protected from unauthorized disclosure or public release based on state or federal law, (e.g. the Public Information Act and other constitutional, statutory, judicial, and legal agreements). Confidential information in this context relates to Texas Administrative Code or other Texas legislative requirements and does not include information that is related to Classified National Security Information. Confidential data should be protected in transit and at rest. Examples include Social Security numbers, personal financial accounts, student education records, intellectual property, or medical records.

2.1.2

Controlled Data is data that may be subject to disclosure or release under the Texas Public Information Act, but requires additional levels of protection; such as operational information, non-confidential personnel records, information security procedures, research, or internal communications.

2.1.3

Public Data is information intended or required for public release as described in the Texas Public Information Act.

2.2

Access to confidential or controlled information shall not be permitted with the use of a User ID alone (for example a UIN only).

2.3

Social Security Numbers (SSNs) are confidential information that requires specific security considerations.

2.3.1

Where feasible, all data files are to be scanned on an annual basis to determine if those files contain SSNs.

2.3.2

If SSNs are found or known to be present in a file, they are to be removed or appropriate risk mitigation measures applied (for example encryption, but not limited to encryption) if their continued presence is required.

2.3.3

All SSNs that are to be retained and stored are to be reported to, and approved by, the Vice President for Information Technology & Chief Information Officer. The reporting and approval process will be in the manner indicated for SSN exception requests at SSN Exception Requests.

2.3.4

A file is not subject to the requirements in this section if the only SSNs contained in the file belong to the owner and custodian of the file or his/her immediate family members.

2.4

Classified National Security Information (“Classified”) will be more closely managed than most other data.

2.4.1

Any entity that has a need to work with “Classified” information shall obtain approval from the Texas A&M System Facility Security Officer (FSO) prior to finalizing any contracts or agreements.

2.4.2

Any entity that has a need to work with “Classified” information shall follow the requirements of the governing contract and the direction provided in Texas A&M System Regulation 15.99.02 Classified Information which may be more restrictive than the procedures in this Control.