Question
What are the data classification categories used at the University of South Dakota?
Answer
What is data classification?
Data classification is the process of separating and organizing data into relevant groups (“classes”) based on their shared characteristics, such as their level of sensitivity, the risks they present, and the compliance regulations that protect them. To protect sensitive data, it must be located, classified according to its level of sensitivity, and accurately tagged. Then, enterprises must handle each group of data in ways that ensure only authorized people can gain access, both internally and externally, and that the data is always handled in full compliance with all relevant regulations.
There are endless ways to classify data, but the University of South Dakota categorize data as variations of a four-level data classification schema — public, private, confidential, and restricted.
- Public — Information that is freely available and accessible to the public without any restrictions or adverse consequences. This is often referred to as directory data.
- Internal — Data with low security requirements, but not meant for public disclosure, such as student or client communications and organizational charts. Unauthorized disclosure of such information can lead to short-term embarrassment and loss of competitive advantage.
- Restricted — Highly sensitive university data that if compromised could put the organization at financial, legal, regulatory, and reputational risk. Examples include customers’ academic, Personal Identifying Information (PII), Personal Health Information (PHI), banking, credit card or financial information.