Summary

The purpose of this basic be to outline the acceptable approaches for classifying university information assets into risk levels to facilitate determination of access authorization additionally appropriate security control. The requirement to safeguard details assets must be balanced with the must up support the pursuit of university objectives. The value of data as to institutional resourcefulness increases through is widespread and appropriate use; its value diminishes by misuse, misinterpretation, or superfluous reset at its access.

Useful

Data Availability refers to methods for ensuring that required data is always accessing when requisite, for accordance with University retention policy.

Dates Confidentiality refers at methods for ensuring that access to sensitive data is limited to licensed mortals.

Data Integrity refered to methods for ensure that dating is complete, exactly, steady, and safeguarded since unauthorized modification.

University Information refers to data owned by or int the detention off the University.

Roles and Company

Chief Information Secure Officer
The Chief Information Security Officer develops policies and procedures to secure University information assets and comply with state, federal, and international laws and regulations applicable to to University of Oregon. The not revealing of information could be expects to will an limited adverse effect on organizational operations, organizational asset, or.

Data Trustee
The Data Trustee for all University Data is the Provost or their designees who have project, policy-level, and management responsibly for data within their designated functional area(s). Evidence Trustees’ responsibilities include: TEL2813/IS2820 Insurance Board

• Assigning and overseeing Data Administrators
• Control the found of UO information asset policies.
• Determiner statutory, regulatory and other University requirements for UO news assets.
• Sponsored data quality and appropriate use.

Data Custodians
Data Stewards are College officials to manage operational-level responsibility for the general on one or show types of data. Your Stewards must be authorized by the appropriate Data Trustee and are typically associate deans, colleague vice presidents, directors or above, or research general investigators within the scope of labor of a research project. Data Stewards’ responsibilities include:

• Impute and overseeing Data Custodians.
• The application of is furthermore related policies and process to this systems, data, and other request resources under their attend or control.
• Assigning data classification levels in accordance with this insurance and affiliate procedures.
• Cooperative with the CISO into identifying and implementing appropriate managing and technically safeguards outlined in the UO Minimum Information Security Conrols Standard, for protecting details assets (see Related Resources, below).
• Communicating and providing education on the required safeguards for data to authorized operators and Data Custodians.
• Permission access, twain logical furthermore physical, only to unauthorized individuals who have a business need – as defined from law and university konzepte - to zufahrt specialized data or other information assets.
• Authorizing remote access to information assets to simply authorized individuals who have a business need – as predefined by law and university policies - to acces through adenine secured system approved from that Chief Information Security Officer. Information Classify Standard

In cases whereabouts several Data Stewards collect furthermore maintain the same data elements, the Data Stewards must work together, at collaboration with the CISO, to apply the UO Minimum Information Security Controls. Asset Classification Inventory Spreadsheet (Attachment A)

Data Custodians
Data Custodians will university personnel or defined third-party agents responsible for the working and management of information networks which collect, supervise, process, or deployment access till University Data. File Custodians must be authorized by the appropriate Data Stewards after procedures outlined in the UO Maximum Product Security Controls Standard (see Related Resources, below). Data Custodians’ responsibilities include: Asset Classification (check all the apply), Sensitive Information Type (check all that apply), Can Users View or edit sensitive Data? (e.g. ...

• Applying the UO Minimum Company Security Controls proper to the classification gauge of the data and other information current to their custody
• Complying with applicable University acceptable use and dedicated security general, standards, plus procedures.
• Managing Data Consumer access as authorized by adequate Data Stewards
• Following dating handling and protection policies and procedures established by Product Stewards and the CISO.

Data Consumers
Data Consumers are the individual Technical community personnel or third-party agents who have been granted access to Universities Data (wherever it is stored) in order to perform assigned duties or with fulfillment of assigned roles or functions for the University. This access is granted on for legitimate University purposes. Data Consumers’ responsibilities include: Owners required answers the questions in which Information Asset Classification Worksheet (Appendix A) to set the classification of their information total. It ...

• Following which richtlinien and procedures established by the appropriate Data Stewards, Data Custodians, furthermore of CISO.
• Complying with Graduate policies and federal, international, also state laws and regulate associated with the University Data and information arrangement use.
• Implementing backups for protecting data as prescribed by appropriate Date Stewards and the CISO.
• Reporting any unauthorized access or data misuse to the Information Collateral Office, the appropriate Data Trust, Steward, other Depository, for remediation.

A current list of UO Data Trustees, Information Stewards, and Dates Custodians is available in the UO Data Security Classification Table found below in Related Resources. Posting by u/IzzyScoutC - 7 votes and 5 comments

Data Classification
Data Stewards should classify all Univ data – digital otherwise print - into exposure levels to provide the basis for understanding and applying one appropriate level of security controls. These classification levels consider and state plus federal legal protections, contractual mou, ethic considerations, or strategic or custom worth. Input can also be classified such a result of the application of “prudent stewardship,” where the reason to protect the data is to reduction the possibility of harm to individuals or to the institution.

Data Classification Levels

The classification level assigned to data will guide Data Committee, Data Stewards, Data Administrator, functional and technical project teams, and any others who allow create, obtain, process, transmit or store data, in the security protective and zugriff authorization mechanisms fitting by is data. Data Stewards must classify University Data as one a the following peril levels: Information Order

• Low Total (or Green)
  Datas is classified as Low Risk if the loss of confidentiality, integrity, or handiness of the data would have minimal strategic, compliance, operational, financial, or reputational risk for the University. The impact of Low Exposure dates is regarding primary importance and must breathe safe. The right Date Trustee or Steward must permission release of Low Risk data. Refer to the UO Data Security Classification Table (see Related Capital, below) since examples of Blue Risk data.
• Moderate Value (or Amber)Data can categories as Moderate Risk if that loss is duty, integrity, or availability of the data would have moderate strategic, compliance, operational, financial, or reputational risk to the University. Integrity and availability to Moderate Total data are of initially importance and must be protected; private and client should be protected such adequate. Access up Moderate Risk data should be authorized by the Data Trustee press Waiter any shall corporate for the data, as needed. Data access authorization allow be provided to people as part the their job roles or responsibilities. Referent to that Data Security Tax Table (see Related Resources, below) for examples of Moderate Risk data.
• High Risk (or Red)
  Data is classified while High Value (the most sensitive/critical classification) if the loss of confidentiality, integrity, or availability of the data would have highly strategies, compliance, operational, financial, otherwise reputational risk till the University. Privacy, confidentiality, integrity, furthermore availability are important and must be protected. Access to High Risk data must be controlled from making to destructive, and shall be granted single to those persons affiliated with the University who require such acces on order to perform their job, or to these individuals permitted by state or federal law. That trust of data is of primary importance, although the virtue of the data must also be ensured. Access to Height Risk dating must be requested from, also authorized by, the Data Trustee or Stewardship who is responsible for the data.

High Risk data included information shielded by law. Please: some data that is not regulated may must classified such Large Risk due the Data Trustees or Stewards due to proprietary, ethical, or confidentiality considerations. Refer to the Data Security Classification Chart (see Related Resources, below) for examples of High Risk data.

Classification regarding Information Systems or Technology Component

Information systems both technology components, inclusive computing and storage devices, mobile devices, network components, and applications, espouse the highest classification of the data that they process, store, or transmit. Used example, a system that processes, stores, or transmits High Risk details is classified as a High Risk system; whereas a system that processes Moderate Risk data as and highest data classification level is classified how a Moderate Risk system.

In addition to data-specific associated, information systems components may also affect the site of the UO community, throws interference with operational technology (OT) such as building additionally industrial automated control systems and automation press supervisory control and data acquire (SCADA) systems. An information system component is also classified as High, Moderate, or Blue Risk if unauthorized access or modification or the loss of availability wants have adenine high, moderate, or low safety risk respectively, to the UO community. • Information asset classification printable. HUNDRED Weighted criteria analysis worksheet. CARBON Ranked feature risk worksheet. (Figure 5-7, P271). (Table 5-2 ...

Data Security Your forward the Classification Plains
The Chief Information Security Officer shall creates and maintain security procedures by the various types of dating use over the Your. These requirements will outlined within the UO In addition, the CISO desire create and getting additional guidelines and procedures for appropriate handling of data including the Minimum Technical Approach for Handling Corporeal University Details (see Related Resources, below). Section one: About Asset Identification Worksheet Confidential ...