Data Classification

UNC Asheville recognizes that data are among the most valuable assets owned by the institution and is taking steps to help identify and protect those assets through a classification system which incorporates the legal, academic, financial and operational requirements of data usage. Fundamental to data classification is a scheme of assessing the risk level of loss or theft of data and the criticality in performing the work of the institution.

Data which has legal protection and data which has implications of risk for the University are placed into categories that define the level of internal controls necessary to protect that data against compromise and inappropriate use. FIPS-199 was a standard adopted by the Federal Government to address data classification and is based on security objects and potential impacts.

The following table illustrates the 9 box FIPS-199 matrix and classification currently being implemented at UNC Asheville.

 

Restricted Data

Sensitive Data

Public Data

Requirements Required by law (e.g. FERPA,HIPAA,others) Contractual obligation to protect the data This data is at the discretion of the owner of data custodian
Reputation Risk High Medium Low
Institutional Risk Provides access to resources (data and physical) Subsets of protected data at the departmental level General university information
Access TBD by UNC Asheville TBD by UNC Asheville TBD by UNC Asheville
Example
  • Credit Card No.
  • SSN
  • Bank Account Numbers
  • Driver’s License Numbers
  • Physical Plant Plans
  • Medical
  • Student
  • Employement
  • Library transactions
  • Research details
  • Financial transactions
  • Telephone bills
  • Information covered by non-disclosure agreements
  • Campus Maps
  • Business contact data
  • E-mail