UC Institutional Information and IT Resources are classified into one of four Protection Levels based on the level of concern related to confidentiality and integrity. P1 requires a minimal set of controls and P4 requires the most security controls.
Information and IT Resources must be properly protected based on the value of the Institutional Information and IT Resource and the likelihood that the information or resource may be targeted for theft. It is important to classify assets accurately as over-classification may result in additional complexity, cost and compliance requirements. Under-classification may result in inadequate protections that could lead to data or resource compromise.
For more information see the UC Classification Standard and UC Protection Level Classification Guide.
Protection Level 1 (P1)
Institutional Information and IT Resources intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient.
Examples:
-
- Public-facing informational websites
- Course catalogs
- Published research
- Press releases
- Parking information
Protection Level 2 (P2)
Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group.
Examples:
-
- Routine business records, meeting notes, and email (that doesn’t contain P3/P4 information)
- Draft or unpublished research papers (that doesn’t contain P3/P4 information)
- Research using publicly available data
- De-identified research or patient data
- Exam information (questions and answers)
- UCSB directory information (faculty, staff and students who have not requested a FERPA block)
- Building plans
Protection Level 3 (P3)
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level can also include lower risk items that, when combined, represent increased risk.
Examples:
-
- Student records (FERPA)
- UCSB personnel records
- IT security information
- Security camera recordings
- Export-controlled research
- Animal research protocols
- Attorney-client privileged information
- Industrial Control Systems affecting operations
- Federal data that falls under FISMA
- GDPR personal data (Article 4) when contained in large sets
- Any data with contractual requirements for P3-level protection
Protection Level 4 (P4)
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, or the overall operation of the Location or essential services. This classification level can also include lower risk items that, when combined, represent increased risk. Critical IT Infrastructure often falls into this level.
Examples:
-
- Personally Identifiable Information (PII) when statutory, where exists an individual’s first name or initial, and last name, in combination with any one or more of the following:
- Social Security number (SSN)
- Drivers license number or State-issued Identification Card number (including Passport or Visa)
- Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password
- Personal medical information
- Health insurance information
- Information or data collected through the use/operation of an automated license plate recognition system
- Biometric data used for authentication purposes
- Genetic data
- User name or email address with password or security question and answer that would permit access to an online account
- GDPR special categories of personal data (Article 9)
- Protected health information (PHI), patient records (often also HIPAA, CMIA, CA IPA)
- Credit card information (PCI DSS)
- Federal Controlled Unclassified Information (CUI)
- Financial aid information (also GLBA)
- Human subject research data with individual identifiers or other research classified as P4 by an Institutional Review Board (IRB)
- Financial, accounting, and payroll records when authoritative source for the university
- Passwords, PINs, passphrases, or other authentication secrets used to manage IT Resources or access P2 to P4 information
- Private encryption keys or code signing certificates
- Medical devices supporting care
- Industrial Control Systems affecting life and safety
- Any data with contractual requirements for P4-level protection
- Personally Identifiable Information (PII) when statutory, where exists an individual’s first name or initial, and last name, in combination with any one or more of the following: