UNC Asheville recognizes that data are among the most valuable assets owned by the institution and is taking steps to help identify and protect those assets through a classification system which incorporates the legal, academic, financial and operational requirements of data usage. Fundamental to data classification is a scheme of assessing the risk level of loss or theft of data and the criticality in performing the work of the institution.
Data which has legal protection and data which has implications of risk for the University are placed into categories that define the level of internal controls necessary to protect that data against compromise and inappropriate use. FIPS-199 was a standard adopted by the Federal Government to address data classification and is based on security objects and potential impacts.
The following table illustrates the 9 box FIPS-199 matrix and classification currently being implemented at UNC Asheville.
Restricted Data | Sensitive Data | Public Data | |
---|---|---|---|
Requirements | Required by law (e.g. FERPA,HIPAA,others) | Contractual obligation to protect the data | This data is at the discretion of the owner of data custodian |
Reputation Risk | High | Medium | Low |
Institutional Risk | Provides access to resources (data and physical) | Subsets of protected data at the departmental level | General university information |
Access | TBD by UNC Asheville | TBD by UNC Asheville | TBD by UNC Asheville |
Example |
|
|
|