Explainer: Data Classification and Encryption Rule
(4-004C)
The University of Utah’s Data Classification and Encryption Rule (4-004C) supports Information Security Policy (4-004). The U’s IT security policy, rules, and guidelines aim to protect the university’s IT resources, systems, and data, including that of students, patients, faculty, staff, guests, vendors, and more.
What does it say?
Rule 4-004C outlines how to protect the U’s data through classification, encryption, and retention.
Data classification: All university-owned and -managed data is classified according to its level of sensitivity as determined by the U’s data stewards, and myriad legal and regulatory standards. Classifications include restricted, sensitive, or public data.
The data classification model and subsequent sections outline the legal requirements, access guidelines, and types of information associated with each data set. At the U, for example:
- Restricted data includes personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, and donor and financial information.
- Sensitive data includes but is not limited to intellectual property, contracts, and employee and student information.
- Public data includes but is not limited to university history, contact information in the Campus Directory, and maps.
Data encryption: This section outlines the encryption requirements of each data type depending on whether it’s at rest (stored) or in motion (transmitted, i.e., sending and receiving).
- Restricted data must be encrypted when transmitted outside the university. Restricted data stored on mobiles devices must also be encrypted. Although not required, the U strongly recommends encrypting restricted data when sharing within the university.
- The U strongly recommends that sensitive data be encrypted when stored or transmitted. Some sensitive data (e.g., student data protected by the Family Educational Rights and Privacy Act [FERPA]) may require encryption, as determined by its data steward.
- The U encourages the encryption of public data when stored or transmitted.
Data retention: This section outlines the Information Security Office’s responsibility to document and retain information about its information security program.
Why should I care?
The U’s data classification and encryption rule helps to protect confidential information, including university, student, patient, faculty, staff, guest, research, and vendor data.
All of us handle data — our own or otherwise — so it’s important to know how to best protect that information.
If a cybercriminal gains access to confidential data, they can use that to access the university’s IT systems and resources, compromise your university and personal accounts, steal your identity, or attack others you know. Data breaches can also harm the U’s finances and reputation.
Who does it apply to?
The rule applies to all university students, faculty, staff, patients, and business partners.
Up next in the November-December Node 4 newsletter — Rule 4-004D: Access Management
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.