Data Categorization

Texas A&M University System (A&M System) data categorization consists of a minimum of three specific categories based on access restrictions and risk. These categories apply to all members and may be expanded upon as required by the member. While the categorization applicable to specific information may change based on circumstances, the intent of this document is to define the appropriate categories for different types of information. These three categories are:

Category Description Examples Comments

Confidential Information

Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement (1 TAC § 202.1)[1]

Patient billing information and protected health information as protected by HIPAA

This category may not be absolute; context is an essential element.

Owners of confidential information must ensure such information is correctly categorized.

Custodians of confidential information must implement appropriate controls.

HIPAA, FTI or PCI information is covered in this category. This category may include agreements or contracts for research work that require higher levels of security and/or procedural elements for handling of information.

Consult the Office of General Counsel regarding confidential information requested through open records, subpoena, or other legal process.

Student education records protected by FERPA

Information or Information System security plans, reports and related information

Credit/debit card numbers, bank account numbers

Personal financial information

Social security numbers

A&M System intellectual property and research information having commercial potential

Confidential Information requiring breach notifications or having stricter access requirements may include SPI as defined by Texas Business and Commerce Code § 521.002(a)(2)[2]; credit card numbers covered by PCI DSS v3.1[3]

Classified National Security Information under Executive Order 13526[4], and Controlled Unclassified Information under Executive Order 13556[5], shall be protected as prescribed by System Regulations 15.05.01[6] and 15.05.02[7], respectively, and the System Chief Resarch Security Officer (SCRSO)

Internal Use

Information that is not generally created for or made available for public consumption but that may or may not be subject to public disclosure through the Texas Public Information Act[8] or similar laws

Institutional budgetary, financial and operational records such as expenditures, statistics, contracting information, non-confidential personnel information

Consult the Office of General Counsel regarding controlled information requested through open records, subpoena, or other legal process.

Non-confidential internal communications

Public Information

Public information includes all information made available to the public through posting to public websites, distribution through email, or social media, print publications or other media, and information for which public disclosure is intended or required

Published system and system member policy documents, organizational charts, statistical reports, fast facts, unrestricted directory information, employee salaries, and educational content available to the public at no cost

Information can migrate from one categorization to another based on information lifecycle. For example, a draft policy document would fit the criteria of “Internal Use” until being published upon which it would become “Public Information”.

1. Each member will use this categorization criteria as their baseline standard. If a member requires a more restrictive categorization for a class of data due to state, federal or other agreements, the more restrictive categorization will apply.

2. This categorization criteria will be used to assess information access and security requirements for information to be stored or processed within member shared information centers.

3. When determining security controls to use for a given set of information, Information Owners and Custodians should also assess whether special requirements exist regarding importance of information availability and integrity and rate the need as LOW, MODERATE, or HIGH for both availability and integrity. The needs regarding availability and integrity may impact security control decisions but are not used for purposes of assigning a categorization label of Confidential, Internal Use, or Public Information.

4. Some classes of information may have attributes, such as “mission critical” or “business critical”. Information attributes do not supplant these classifications but should be used to clarify their importance to the institution.

State of Texas Requirement

“State institutions of higher education are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the controls for each” (1 Tex. Admin. Code § 202.74(b)(1)).[9]

1. Title 1 Texas Administrative Code § 202.1, Applicable Terms and Technologies for Information Security Standards.
2. Texas Business and Commerce Code § 521.002, Unauthorized Use of Identifying Information.
3. "PCI Data Security Standards", Payment Card Industry Security Standards Council.
4. Executive Order 13526, Classified National Security Information, December 2009.
5. Executive Order 13556, Controlled Unclassified Information, November 2010.
6. Texas A&M System Regulation 15.05.01, Classified Information Management.
7. Texas A&M System Regulation 15.05.02, Controlled Unclassified Information Management.
8. Texas Government Code Ch. 552, Public Information.
9. Title 1 Texas Administrative Code § 202.74, Institution Information Security Program.

results matching ""

    No results matching ""