“State institutions of higher education are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the controls for each” (1 Tex. Admin. Code § 202.74(b)(1)).1
Texas A&M University System (A&M System) data categorization consists of a minimum of three specific categories based on access restrictions and risk. These categories apply to all members and may be expanded upon as required by the member. While the categorization applicable to specific information may change based on circumstances, the intent of this document is to define the appropriate categories for different types of information. These three categories are:
|Confidential Information||Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement (1 TAC § 202.1)2||This category may not be absolute; context is an essential element. Owners of confidential information must ensure such information is correctly categorized and custodians of confidential information must implement appropriate controls.
HIPAA, FTI or PCI information is covered in this category. This category may include agreements or contracts for research work that require higher levels of security and/or procedural elements for handling of information.
Consult the Office of General Counsel regarding confidential information requested through open records, subpoena, or other legal process.
|Internal Use||Information that is not generally created for or made available for public consumption but that may or may not be subject to public disclosure through the Texas Public Information Act 3 or similar laws||Consult the Office of General Counsel regarding internal use information requested through open records, subpoena, or other legal process.|
|Public Information||Public information includes all information made available to the public through posting to public websites, distribution through email, or social media, print publications or other media, and information for which public disclosure is intended or required||Each member will use this categorization criteria as their baseline standard. If a member requires a more restrictive categorization for a class of data due to state, federal or other agreements, the more restrictive categorization will apply.
Information can migrate from one categorization to another based on information lifecycle. For example, a draft policy document would fit the criteria of “Internal Use” until being published upon which it would become “Public Information”.
Security Control Tailoring Guidance
When determining security controls to use for a given set of information, Information Owners and Custodians should also assess whether special requirements exist regarding importance of information availability and integrity and rate the need as LOW, MODERATE, or HIGH for both availability and integrity. The needs regarding availability and integrity may impact security control decisions but are not used for purposes of assigning a categorization label of Confidential, Internal Use, or Public Information (see FIPS 199 4 for additional details).
Some classes of information may have attributes such as “mission critical” or “business critical”. These classes of information should be assessed for designation as high-impact information resources.