Policy
Original Issuance Date: September 14, 2016
Last Revision Date: March 4, 2024
Effective Date: December 1, 2024
1. Policy Purpose
This policy establishes a framework for classifying University of Wisconsin (UW) System data based on its level of sensitivity, value, and criticality to the Institution. Data classifications are necessary to secure and protect data in a predictable manner consistent with the risk posed to the organization.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System data, including all operational and research data. Institutions may elect to develop their own procedures and/or guidance to support compliance with this policy.
4. Background
UW System uses a variety of data in support of its teaching, research, administrative, and outreach missions. Data is a valued resource institutions must govern, classify, and protect. Laws and regulations also require that institutions limit access to certain categories of data to protect the privacy of individuals.
To ensure appropriate protection from threats to the confidentiality, integrity, and availability of UW System’s data, it is necessary to determine the level of risk associated with the data. Data classification assigns such levels and helps inform which technical, administrative, and physical controls should be applied to protect the data from theft, alteration, loss of integrity, and/or misuse. Proper data security handling practices must be employed commensurate with the sensitivity of the data and the risk to UW System. This policy also seeks to ensure strong and consistent data handling standards throughout UW System.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Data Domain
- Data Steward
- Data Trustee
6. Policy Statement
Institutions shall use the following framework to evaluate and classify data.
A. Data Classifications
UW System utilizes a three-tier data classification schema, with each tier representing the level of risk the data poses to the organization. Data Stewards shall classify data they are responsible for overseeing in a consistent manner to align with the classification levels listed below.
Specific examples for each classification can be found in SYS 1031 Guidance: Data Classification Examples.
I. Low Risk
Data is classified as low risk when the loss of confidentiality, integrity, or availability of data could result in negligible operational, financial, legal, or reputational impact to the organization. This includes:
-
- Public Data – Data made available for public use and consumption and can be openly shared or discussed with anyone.
- Internal Data – Data made available to internal users but not intended to be openly shared on public websites or in other public forums.
II. Moderate Risk
Data is classified as moderate risk when the loss of confidentiality, integrity, or availability of data could result in a moderate operational, financial, legal, or reputational impact to the organization. This includes:
-
- Sensitive Data – Data limited to defined users, roles, or groups within the organization based on specific business needs. By default, all institutional data that is not explicitly classified must be treated as Sensitive data.
III. High Risk
Data is classified as high risk when the loss of confidentiality, integrity, or availability of data could result in a significant operational, financial, legal, or reputational impact to the organization. This includes:
-
- Restricted Data – Data limited to a highly defined small set of users.
B. Data Reclassification
Data stewards shall periodically reevaluate the classification of data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the institution. These evaluations shall be conducted by the appropriate data steward. Evaluations on an annual basis are encouraged; however the data steward should determine what frequency is most appropriate.
C. Classification Documentation
Data stewards shall maintain documentation of data classifications for data they are responsible for overseeing.
7. Related Documents
SYS 1031 Guidance: Data Classification Examples
8. Policy History
Revision 6: March 4, 2024
Revision 5: December 1, 2023
Revision 4: November 13, 2020
Revision 3: December 9, 2019
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review
December 2028