˿����Ƶ

Data classification at the University of Missouri is the categorization of data according to its importance, sensitivity and potential for misuse. 

We use data classification to help select appropriate security controls for storing, processing, transferring and sharing data.  

˿����Ƶ has created a classification system that divides data into four levels: 

• Data Classification Level 1: Public 
• Data Classification Level 2: Sensitive (Internal) 
• Data Classification Level 3: Restricted 
• Data Classification Level 4: Highly Restricted 

Information security and IT compliance will assist in determining the appropriate classification for your data. They also review tools and services to help protect the confidentiality, integrity and availability of our information assets. 

Data Classification Level 1: Public 

Information intended and released for public use. ˿����Ƶ intentionally provides this information to the public. 

Examples: 

• Published research 
• Course catalogs 
• Published faculty and staff information 
• Job postings 
• Name, employment dates, job title and work address/phone/email 
• Student directory information* 
• Basic emergency response plans 
• University-wide policies 
• Publications 
• Press releases 
• Published marketing materials 
• Regulatory and legal filings 
• Published annual reports 
• Code contributed to Open Source 
• Released patents 
• Plans of public spaces 

*Directory information about students who have requested FERPA blocks must be classified and handled as DCL3. 

Data Classification Level 2: Sensitive (Internal) 

Information that is intended to only be shared within the UM System community. Sensitive data or information that is not openly shared with the public but is not specifically required to be protected by statute, regulation or policy. Unauthorized disclosure of this information could adversely impact the University, individuals or affiliates.  

Examples: 

• Budget and salary information 
• Employee ID 
• Cell phone numbers 
• Departmental policies and procedures 
• Internal memos 
• Incomplete or unpublished research 
• Faculty degrees and certificates 
• Employee web/intranet portals 
• UM training materials 
• Pre-release articles 
• Drafts of research papers 
• Work papers 
• Patent applications 
• Grant applications 
• Non-public building plans or layouts 
• Non-confidential administrative survey data 
• De-identified Research Data (Non-clinical) 

Data Classification Level 3: Restricted 

Confidential business or personal information, intended only for those with a “business need to know.” There are often general statutory, regulatory or contractual requirements that require protection of the data. It is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data.  

Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates. 

Examples: 

• Non-directory student information 
• Personally identifiable information (PII) such as name, birthdate, address, phone number, email, etc., where the information is held in combination and could lead to identity theft or other misuse 
• Certain research (e.g. proprietary or otherwise protected) 
• Performance records 
• Gender 
• Ethnicity 
• Race 
• Citizenship 
• Visa/immigration status 
• Disability 
• ADA accommodations 
• Non-published faculty and staff information 
• Personnel records* 
• Donor information 
• Non-public legal work and litigation information 
• Budget /financial transactions information 
• Non-public financial statements 
• Information specified as confidential by vendor contracts and NDAs 
• Information specified as confidential by Data Use Agreements 
• General security findings or reports 
• Most UM source code 
• Non-security technical specifications/architecture schema 
• Library/museum object valuations 
• IRB records 
• Sensitive administrative survey data 
• Course feedback, especially if free text response is permitted 
• De-identified health or medical information 
• De-identified Clinical Research Data 
• Partial Social Security Number (Last four digits) 

*Employees have the right to discuss terms and conditions of their own employment, including salary and benefits, with each other or with third parties. 

Data Classification Level 4: Highly Restricted 

High-risk information that requires strict controls. There are often governing statutes, regulations or standards with specific provisions that dictate how this type of data must be protected. It is intended for a very limited use and must not be disclosed except to those who have explicit authorization to view or use the data. Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates. 

Examples: 

• Passwords and PINs 
• System credentials 
• Private encryption keys 
• Government issued identifiers 
• Passport number or picture 
• Driver’s license information or picture 
• Full Social Security Numbers (SSNs) 
• Individually identifiable financial account information (e.g. bank account, credit or debit card numbers) 
• Individually identifiable health or medical information 
• Individually identifiable research data 
• Details of significant security exposures (e.g. vulnerability assessment and penetration test results) 
• Security system procedures and architectures 
• Trade secrets 
• Systems managing critical Operational Technology 
• Biometric Data 
• E-Commerce 
• Export Controlled Data 
• National Security Interest (NSI) 
• Protected Health Information (PHI) 
• Controlled Unclassified Information (CUI) 

What does the Device DCS cover? 

Laptops, desktops, tablets, smartphones, flash drives and other portable storage drives used for work purposes regardless of ownership. 

What do I need to do to comply? 

1. Determine which data classification level applies to the data on your device(s). See the DCL cheat sheet below or the UM DCS definitions above. 
2. Inform your IT support staff of the DCS level that aligns with your device(s). 
3. Your IT professional is responsible for ensuring your device(s) is deployed, configured and managed in accordance with the Device DCS. 
4. You are responsible for the following: 
   1. Keep portable devices physically secure. 
   2. Lock your screen/device when not in use. 
   3. When connecting to your campus network or campus resources, use VPN or other secure remote access services as deemed appropriate by your campus IT department. 
   4. Do not share your password with anyone and do not use your University password on non-University websites or other accounts. 
   5. Make sure your device is disposed of properly. For University-owned devices, give your aged device to your IT support staff. For personal devices, make sure they are wiped before disposal. 
   6. Do not disable the firewall or antivirus. 
   7. Use mapped network drives or collaboration applications provided by your campus to store work files rather than storing files exclusively on your workstation (protects against device failure). 
   8. Do not join unsecure wireless networks when working or, if you must use such networks, use VPN or other secure remote access services. 
   9. Report the loss or theft of a device, regardless of ownership, to your campus police department, your IT support person and to your campus Information Security Office. 

Additional steps you can take to secure devices both at work and at home: 

• Do not make online purchases or other financial transactions over a publicly available wireless network. 
• Do not use a flash drive if you don't know where it came from (it could hold a virus). 
• For personal devices, keep the operating system and applications current. 
• Encrypt personal devices, including flash drives, that hold DCL4 data. If you own a device that can't be encrypted, you should not store DCL4 data on it. 
• Do not download suspicious or obscure applications onto your computer and never click on links in emails. 
• Use common sense and best practices when traveling, especially when traveling overseas. 

If your University-issued computer is not managed by an IT professional or if it uses a non-standard operating system such as Linux, consult with your campus IT division and/or with your campus Information Security Officer. 

The creator/manager (e.g., data custodian) of information and data has the latitude to classify data at a level higher than the definitions below. However, data/information cannot be classified at a lower level than the definitions below unless approved by your Information Security Officer.