How to Classify Data

Using confidentiality, integrity, and availability to classify data.

  • Confidentiality is the need to strictly limit access to data to protect the university and individuals from loss.
  • Integrity means that data must be accurate and users must be able to trust its accuracy.
  • Availability means that data must be accessible to authorized persons, entities, or devices.

To determine the level of protections applied to a system, base your classification on the most confidential data stored in the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system (server or workstation) must still be protected based on the most confidential data.

Data Classification Weighting 

  LEVEL 1 LEVEL 2 LEVEL 3
Need for Confidentiality Required Recommended Optional
  and/or and/or and/or
Need for Integrity Required Recommended Optional
  and/or and/or and/or
Need for Availability Required Recommended Optional

Once you classify the data, review the university Minimum Security Standards. These standards describe the appropriate steps for protecting data based on the data classification.

Sample Data Classification

This section illustrates how the Information Security Office classifies some familiar data using the CIA (Confidentiality, Integrity, Availability) criteria.

Level 1 Data: Santa Clara University web presence

www is considered Level-I data because it is governed by a service-level agreement that dictates a high level of uptime.

  • Need for Confidentiality is optional (low)
  • Need for Integrity is recommended (medium)
  • Need for Availability is required (high)

Since at least one of the CIA conditions is required (high), in this case availability, www is considered Level-I data.

Level 1 Data: Digital Research Data with a Funding Agency Agreement

Digital research data is required to be confidential (high) due to various factors, including human subject data, requirements of granting or funding agency agreements, etc. Integrity of the research is required (high) because the data must be accurate and free from errors to be credible. Availability is recommended (medium), because SCU is not necessarily in any danger or in violation of any law if the data is unavailable for a period of time.

  • Need for Confidentiality is required (high)
  • Need for Integrity is required (high)
  • Need for Availability is recommended (medium)

Level 2 Data: Large Numbers of E-mail Addresses

University e-mail addresses are considered Level-II data. They are public information and are published in the university directory (unless restricted by individuals). However, the directory is not intended to be used to harvest e-mail addresses.

  • Need for Confidentiality is optional (low)
  • Need for Integrity is recommended (medium)
  • Need for Availability is recommended (medium)

You may ask yourself why integrity is only recommended and not required. In this case, we are not talking about the source system that stores official e-mail addresses, but the release of that information.

Level 3 Data: Professor's Blog

A blog is designed to be shared with the world. The confidentiality requirement is therefore optional (low). If the contents of the blog are changed, there would be little to no impact on the ability of the department or the university to carry out their missions. The need for integrity is therefore optional (low). The need for availability is also optional (low) because, should the blog be taken offline for a period of time, the only primary people affected would be the readers of the blog. The department and university should be able to carry on business as usual, while the blog was restored or recreated.

  • Need for Confidentiality is optional (low)
  • Need for Integrity is optional (low)
  • Need for Availability is optional (low)

Since at all of the CIA conditions are optional (low), a professor’s blog hosted on a departmental server is considered Level-III data and should be protected using the required and recommended standards for Level-III data.

Adapted with permission from University of Texas at Austin and Stanford University