Skip to main content

Information Technology Services (ITS)

IT Standard Administrative Procedures

Data Classification Standard

This standard serves as a supplement to the 29.01.99.K1.185 Data Classification Standard, which was drafted in response to Texas Administrative Code 202 and 29.01.99.K1.010 Acceptable Use Standard Administrative Procedure.

Adherence to the standard will facilitate applying the appropriate security controls to university data.

This standard exists in addition to all other university policies and federal and state regulations governing the protection the protection of the university’s data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.

Public

University data not otherwise identified as Confidential or Controlled data, and:

  1. Intended or required for public release
  2. Has no requirement for confidentiality, integrity, or availability.

Controlled

University data not otherwise identified as Confidential, and:

  1. May or may not be subject to disclosure or release in accordance with the Texas Public Information Act
  2. Must be appropriately protected to ensure a controlled and lawful release.

Confidential

University data that is:

  1. Must be protected from unauthorized disclosure or public release
  2. University data that are not otherwise protected by a known statute or regulation, but which must be protected due to contractual agreements

Use the examples to determine which classification is appropriate for a given type of data. When data falls into multiple categories, use the highest classification.

View Minimum Security Standards for Systems

Public

University data not otherwise identified as Confidential or Controlled data:

  1. Public directory information
  2. Public websites
  3. Course listings and pre-requisites

Controlled

University data not otherwise identified as Confidential:

  1. Email
  2. Personnel records
  3. Information security procedures
  4. General research
  5. Internal communications
  6. Licensed software/software license keys
  7. Library paid subscription electronic resources

Confidential

University data that is:

  1. Personally Identifiable Information, such as: a name in combination with Social Security Number (SSN) and/or banking account numbers
  2. Student Education Records (FERPA)
  3. Intellectual Property, such as: Copyrights, Patents and Trade
  4. Medical Records (HIPAA)
  5. System security plans, reports, system configurations, and related information
  6. TAMUK intellectual property and research information having commercial potential

Extended List of Confidential Data:

  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information
  • Grades (including test scores, assignments, and class grades)
  • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills

For more information, see the TAMUK FERPA Web Page.

  • Name
  • Family information
  • Amount / what donated
  • Other non-public gift information
  • Telephone / fax numbers, e-mail, URLs
  • Human subject information. See the Research Compliance website for more information
  • Sensitive digital research data
  • Export Controlled Information
  • Classified information relating to defense articles and defense services
  • Information covered by an invention secrecy order
  • Software directly related to a controlled item
  • Insurance benefit information
  • Family information, home address, and home phone number
  • Contract information (between TAMUK and a third party)
  • NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

A server is a computer program that provides services to other computer programs in the same or another computer.  A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.

View Server Hardening Standards

An application is any software that handles data at TAMUK.

View Application Security Procedure

Public

  1. Public facing web server: All content is available without KU/K00 login and doesn't fall under Controlled or Confidential definitions
  2. Online maps
  3. University online catalog displaying academic course descriptions
  4. Bus schedules

Controlled

  1. Web server with non-Confidential content behind KU/K00 login
  2. Human Resources application that stores salary information

Confidential

Web server hosting confidential data such as, but not limited to:

  1. SSNs
  2. HIPAA data
  3. FERPA data
  4. ITAR data
  5. PCI data
  6. Financial data

The standards listed here inform this document; you should be familiar with these standards.

This is not an all-inclusive list of standards and procedures that affect information technology resources.