Building partnerships through collaboration.
Data Risk Classification Policy Revised
Published May 7, 2018 This content is archived.
The Data Risk Classification Policy, approved and signed by President Tripathi, is available in the ÃÛÌÒ´«Ã½ Policy Library.
Overview
The ÃÛÌÒ´«Ã½ is committed to protecting the confidentiality, integrity, and availability of data important to the university’s mission. All university data must be classified based on risk category and protected using the appropriate security measures consistent with the minimum standards for the classification category. The standard for protecting the data becomes more stringent as the risk from disclosure increases.
UB classifies its data into three risk-based categories to determine who is allowed to access the data and what security precautions are required to protect the data:
Data Classification
| Risk Classification | Risk From Disclosure |
|---|---|
| Category 1 - Restricted Data | High |
| Category 2 - Private Data | Moderate |
| Category 3 - Public Data | Low |
This policy facilitates applying the appropriate security controls to university data and assists data trustees in determining the level of security required to protect data.
Policy Revisions
The policy was revised to:
- change the title of the policy from Data Classification Standard/Data Use Standard to Data Risk Classification
- change the number of classification categories from four (i.e., Category I: Regulated Private Data; Category II: Protected Data; Category III: Internal Use Data; Category IV: Public Data) to three (i.e., Category 1 – Restricted Data, Category 2 – Private Data, Category 3 – Public Data); this change aligns the UB categories with the New York State Office of Information Technology Services Information Classification Standard
- revise data role terminology
- add HIPAA compliance reference
- provide additional data risk classification guidance including
- FIPS 199 security categorization definitions
- Security standard crosswalks
- Data Risk Classification Examples
Applicability
This policy applies to all university data and to all user-developed data sets and systems that may access these data regardless of the environment where the data reside (e.g., cloud systems, servers, personal computers, mobile devices). The policy applies regardless of the media on which data reside (e.g., electronic, printouts, CD, microfiche) or the form they may take (e.g., text, graphics, video, voice).
Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. ÃÛÌÒ´«Ã½ data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
Guidance
Questions can be directed to the appropriate office.
| Contact | Phone | |
|---|---|---|
| Vice President and Chief Information Officer | 716-645-7979 | vpcio@buffalo.edu |
| Information Security Officer | 716-645-6997 | sec-office@buffalo.edu |
| Records Management Officer | 716-645-5464 | hines@buffalo.edu |