The data classification levels (DCL) and associated requirements are key to the entire data classification system (DCS). All data (regardless of format) must be classified in order to determine what security measures are necessary to adequately protect the University's information assets. In this section you will find the DCL definitions and examples of each along with other definitions that may be helpful in understanding the DCS. Also, for quick reference, please view the DCL in a Nut Shell chart.
NOTE: Grant/Contract-controlled data must be protected according to specific requirements set out in the governing grant or contract (which includes, but is not limited to, non-disclosure agreements, confidentiality agreements, data use agreements, etc.) The requirements are not likely to correspond exactly with any of the University's data classification levels, however. In these cases, all requirements specified in the grant/contract must be met first. The data should be classified at the level that most closely corresponds to the specified requirements and, if there are additional protections required by that data classification level, those protections must be applied as well.
DCL1--Public
Public data is purposefully made available to the public by the data steward or some other valid authority and may be freely disseminated without potential harm to the University or its affiliates.
Examples:
Advertising, product and service information, directory listings, published research, presentations or papers, job postings, press releases, instructions, training manuals.
DCL2--Sensitive
Sensitive data includes information that is not openly shared with the general public but is not specifically required to be protected by statute, regulation or by department, division or University policy. It is intended for use by a designated workgroup, department or group of individuals within the University. Unauthorized disclosure of this information could adversely impact the University, individuals or affiliates.
Note: While some forms of sensitive data can be made available to the public, it is not freely disseminated without appropriate authorization. For example, salaries of University employees are public information and can be requested under Missouri's Sunshine Law but they are not disclosed to the public by University employees without a specific and legitimate request or purpose.
Examples:
Budget and salary information, employee ID, personal pager or cell phone numbers, departmental policies and procedures, internal memos, incomplete or unpublished research.
DCL3--Restricted
Restricted data is highly confidential business or personal information. There are often general statutory, regulatory or contractual requirements that require protection of the data. It is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data. Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates.
Consultations with central IT departments will almost always be necessary in order to establish adequate security controls for this type of data.
Regulations and laws that affect data in DCL3 include, but are not limited to, the Family Educational Rights & Privacy Act (FERPA).
Examples:
Student data that is not designated directory information; other personally identifiable information (PII) such as name, birthdate, address, etc. where the information is held in combination and could lead to identity theft or other misuse; certain research (e.g. proprietary or otherwise protected).
DCL4--Highly Restricted
Highly restricted data is business or personal information that is required to be strictly protected. There are often governing statutes, regulations or standards with specific provisions that dictate how this type of data must be protected. It is intended for a very limited use and must not be disclosed except to those who have explicit authorization to view or use the data. Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates.
Consultations with central IT departments are required in order to ensure that adequate security controls are in place. Additional approvals from other University authorities may also be required.
Regulations, laws and standards that affect data in DCL4 include, but are not limited to, the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.), the Export Administration Regulations (15 CFR 730 et seq.), the Health Insurance Portability & Accountability Act (HIPAA),Payment Card Industry (PCI) standards, and the Graham-Leach-Bliley Act (GLBA).
Examples:
Biometric Data
Biometric data is distinct and measurable physiological or behavioral characteristics used as a means of identifying an individual for purposes of access control. Disclosure to unauthorized individuals may result in unauthorized access to University systems and data.
E-Commerce
Electronic commerce data (including credit card numbers) is subject to rigorous security requirements dictated by the PCI. All e-commerce applications have to first be approved by the UM Treasurer's Office and can only be implemented in conjunction with the central IT office at each University business unit. The necessary security measures will be determined at the time of implementation.
Export Controlled Data
Information or technology deemed to be sensitive to national security or economic interests and subject to federal export control regulations as promulgated by the U.S. Departments of State and Commerce. Export controlled data may be subject to restrictions that exceed the requirements for DCS Level 4 data.
National Security Interest (NSI)
NSI data has been classified by a third party as having the potential to impact national security. Individuals managing or accessing NSI data must comply with all DCS Level 4 requirements, National Security Decision Directives, any other applicable Federal Government directives and all information security procedures specified by the source agency.
Protected Health Information (PHI)
PHI is subject to security requirements dictated by HIPAA. Depending on the situation, additional approval to collect, store and/or use PHI may be required from the appropriate Information Security Officer (ISO), Privacy Officer or Institutional Review Board (IRB).
Social Security Numbers (SSNs)
The Social Security Administration issues a unique nine digit number to each U.S. citizen (and to some non-citizens as well) to track Social Security benefits and income for tax purposes. Other organizations such as banks and hospitals also use SSNs as an identification number. University departments must demonstrate a legitimate need and to collect, transmit or use SSNs.
Controlled Unclassified Information (CUI)
Other Definitions
Administrator or Administrative Access: An individual or group of individuals with server or database administration rights on a given system or systems.
Application: A browser-based or other proprietary application used to allow one or more end-users to read, access, modify, input or retrieve data, from a server-based system.
Application Administrator: An individual with privileges to manage, maintain, modify or update an application hosted on a system or server.
Database Administrator: An individual responsible for understanding the platform on which the database runs, planning and coordinating security measures with network administrators, administering database management system software (including, but not limited to, managing user accounts), testing and coordinating modifications to the system, troubleshooting problems and ensuring the proper overall performance of the system.
Data Custodian: The IT support person(s) responsible for maintaining systems/servers and protecting specific sets of data.
Data Steward: The individual responsible for the creation or management of the data itself and who has overall responsibility for authorizing access and use of the data and who has significant responsibility for data protection. This role is usually assigned to a non-IT person.
End-User: An individual accessing or utilizing an application or system as a user only, not as an administrator or privileged user of the system.
FERPA: The Family Educational Rights & Privacy Act
GLBA: The Graham Leach Bliley Act
HIPAA: The Health Insurance Portability and Accountability Act
Inbound Internet Access: A server or workstation that is generally accessible by any Internet user or site.
Named Administrator Account: A named account is an IT specific account that provides privileged access to systems and other IT resources that in some way represents the name of the individual using the account.
Mobile Device: A computing device such as a smart phone or tablet that is designed for portability.
Portable Storage Device: Any device such as a USB drive that allows data storage and is easily portable.
Privileged User: A user of a system who has higher system access privileges than an end-user but who is not an administrator of the system, the database or of the application. Typically these users are those who update content, correct database errors, transmit data to and from systems, or run reports.
Principle of Least Privilege: The process of establishing differentiated levels of system access that allow end-users or privileged users access to only the system resources they need to perform their jobs or tasks, no more and no less.
Qualified IT Professional: An individual, qualified by virtue of training and/or experience, working for the University, by employment or contract, in an information technology-related title appropriate for the work being performed.
Remote Access: Access to an information system residing on the University's network when away from the university's network.
Remote Administration: System, database or application administration activities when the "administrator" is away from the affected system, whether on the University's network or not.
Strong Encryption: A level of encryption that is dependent, to some extent, on encryption standards that exist at any given time. Consult the ISO at each business unit for current strong encryption standards.
System Administrator: An IT support person or persons responsible for one ore more systems which may hold and process data owned by one or more data stewards.
System/Server: A hardware or virtual computing environment that is installed or configured to provide, share, store, or process information for multiple users or, that communicates with other systems to transmit data or process transactions.
Reviewed 2023-04-04