Information Resource Data and System Classification Standard
This standard leverages existing University of Alaska Data Classification, extends it to systems and adds the dimensions for availability and criticality. This classification and labeling of systems will be used to better communicate a systems role within the University’s IT environment, the appropriate safeguards that apply to a system and inform disaster recovery and business continuity planning decisions.
This classification is applicable to a wide variety of information resources that are part of the University of Alaska’s (UA) information technology (IT) environment. A system may be any IT resource to which the security safeguards may be applied. Examples of systems include, but are not limited to:
- Desktop, laptop, or server computers running general purpose or specialized operating systems such as Windows, Mac OS, and Unix
- Network server applications, such as an FTPserver application
- Web applications, such as a wiki
- Network attached appliances that provide IT services
- Hosted services operated by partners in support of UA
All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations that must be managed. Each of them is considered a compliance object to be protected.
Follow these steps to determine a system's classification:
- Determine the Data Classification of the data stored on the system.
- Determine the Availability Requirements of that system, including whether it is a server, or personal workstation.
- Select the appropriate Classification from the System Criticality Categories table.
A system manager may choose to classify a system as higher criticality than that indicated by the table. However, if they choose to do so, the system must meet the security measures for that higher level. Systems hosting data or services at multiple classification levels will be assigned the highest classification level in the data, availability and criticality areas and must meet the security measures for that higher level.
The authoritative source of information on data classification at UA is University of Regulation 02.07.090-094. It outlines three levels of data classification related to the impact of an unauthorized disclosure of the data. The data types are listed below along with the descriptions and examples; however the policy document linked to above is the authoritative source of information on data classification.
|Data Classification||Institutional Risk from Disclosure||Description||Examples|
|Restricted||High||Data whose unauthorized access or loss would seriously or adversely affect UA, students, employees, a partner, or the public.||
||Medium||Data not restricted by law, regulation or formal agreement but that should be protected from general access.||
|Public||Low/None||All public data||
Special Data Types
Some data comes with specific and externally mandated controls that must be applied for its protection.
- Credit Card numbers are subject to specific industry standards and thus may need to be handled differently in some situations.
- Other data covered by export controls are subject to additional rules on distribution, in particular sharing with nonU.S. persons.
- Personal Health Information (PHI) data can be subject to HIPAA protection requirements and HITECH Act enforcement.
The system classification framework draws a distinction between systems storing data directly, systems with privileged access to data but do not store it directly, and systems that make general use of data, as follows:
- "Storing" data indicates that the data is available through normal file system access methods. For example, data residing in NFS mounts or Windows mapped drives (e.g., an X: drive) is considered to be stored on any client systems which actively mount the shares, as well as the system which physically houses the disks. However, data residing in a database is considered to be stored only on the database server itself since no file system access methods allow clients to obtain direct access to the data.
- "Privileged access" exists when there is a nonfile system method of accessing data that is stored on another system. For example, a web server that connects to a separate backend database server has privileged access to data stored on that system. Similarly, the workstation of a system administrator who commonly logs into both servers with administrator credentials has privileged access to both systems.
- "General use" includes access or processing of data by enduser workstations, using a nonprivileged account.
There are three availability classifications representing the impact to the University if a given system were unable to perform tasks it is responsible for.
|Availability Classification||Institutional Risk from Disclosure||Description||Examples|
|High Availability||High||Loss of access to the system would have a significant impact on UA, students, employees, a partner, or the public.||
|Medium Availability||Medium||Loss of access to the system could have a significant impact on a large number of users or multiple business units.||
|Standard Availability||Low||Loss of access to the system could have a significant impact on an individual user or unit.||
- Servers are characterized by the presence of network accessible services and are typically accessed simultaneously by many remote users concurrently via the network services they provide.
- Individual workstations, laptops or devices typically do not have network accessible services, and are typically accessed by a single user at a time.
System Criticality Categories
System Criticality is determined according to the following table. When more than one category applies, the system should be classified in the highest applicable category.
|System Classification||Classification Guidelines||Examples|
Servers that store Restricted data
OR servers that host High Availability applications
Servers that store Internal Use data
OR servers that have privileged access to systems that store Restricted data
OR servers that host Medium Availability applications
Servers that store only Public data
OR servers that have privileged access to systems that store Internal Use data
OR servers that host Standard Availability applications
OR individual workstations, laptops or devices
For questions or comments email email@example.com.
Effective date: January 1, 2014