Policy
On December 1, 2023, President Rothman approved an update to this policy. The updated policy will become effective on December 1, 2024. Please review the revised policy SYS 1031, Information Security: Data Classification and the newly approved SYS 1031 Guidance: Data Classification Examples to prepare prior to the effective date.
The related procedures SYS 1031.A, Information Security: Data Classification and SYS 1031.B, Information Security: Data Protections were approved for rescission, which will also be effective on December 1, 2024. See the
.Original Issuance Date: September 14, 2016
Last Revision Date: November 13, 2020
1. Policy Purpose
The purpose of this policy is to establish a method of categorizing data assets based on risk to the University of Wisconsin (UW) System and to establish specific minimum standards for data handling across the UW System. This policy also ensures that the UW System manages data in a consistent and appropriate manner.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope
This policy applies to all University of Wisconsin System data. To the extent possible, the elements of section 6 of this policy should be incorporated into contracts with third party providers.
4. Background
The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Security: Information Technology. The UW System is committed to a secure information technology (IT) environment in support of its mission. In order to establish the safeguards required for particular types of data, it is necessary to determine the level of risk associated with the data. Data classification assigns such levels and determines the extent to which technical, administrative, and physical controls should be applied to protect the data from theft, alteration, loss of integrity, and/or misuse. Proper data security handling must be implemented commensurate with the sensitivity of the data and the risk to the UW System. This policy also seeks to ensure strong and consistent data handling standards throughout the UW System. This ensures appropriate protection from threats to the confidentiality, integrity, and availability of the UW System’s data.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Data Steward
6. Policy Statement
A. Data Classification
Data may be classified as:
i. High Risk: The loss of confidentiality, integrity or availability of data that could result in a significant or catastrophic impact to individuals, mission, assets, or operations of UW System.
ii. Moderate Risk: The loss of confidentiality, integrity or availability of data that could result in a serious impact to individuals, mission, assets, or operations of UW System.
iii. Low Risk: The loss of confidentiality, integrity, or availability of data that could result in minimal impact to individuals, mission, assets, or on the operations of UW System.
The Data Steward(s) of each institution shall evaluate and classify data for which he, or she, is responsible for according to the definitions in this policy and the standards specified in UW System Administrative Procedure 1031.A, Information Security: Data Classification Standard. A Data Steward may classify specific data elements at a higher level than identified in the procedure. A Data Steward may not reclassify to a lower level any data that is specifically classified in the procedure.
B. Data Protection
All information shall be kept in a manner consistent with appropriate controls, and standards commensurate with its data classification and the protections outlined in UW System Administrative Procedure 1031.B, Information Security: Data Protection Standard.
Information shall also be maintained according to appropriate UW System record retention policies, applicable state and federal laws and regulations.
Family Educational Rights and Privacy Act (FERPA) data may contain elements from multiple classifications (i.e. data sets). The composition of these data sets may result in either a high or moderate risk data classification. In these cases, protections prescribed by federal law will take precedence.
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1030, Information Security: Authentication
UW System Administrative Policy 1030.A, Information Security: Authentication Standard
UW System Administrative Policy 1031.A, Information Security: Data Classification Standard
UW System Administrative Policy 1031.B, Information Security: Data Protection Standard
UW System Information Security Program
8. Policy History
Revision 4: November 13, 2020
Revision 3: December 9, 2019
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review
June 2022