UNL data security classifications - definitions

Please review data security guidelines - examples appendix for specific examples.

  1. Purpose
    Information we rely upon as an institution falls into categories that represent different needs and responsibilities. The University of Nebraska System has published a policy governing the classification and storage of data, ITS-05. This policy helps to provide a common framework for understanding the needs surrounding different types of data. This page, along with the ITS-05 policy, works to create an approachable common understanding of how to identify and protect University Data. All members of the UNL community must be responsible stewards of the data we create, share and rely upon.
  2. Applicability
    Understanding these  guidelines is the responsibility of all members of the University of Nebraska-Lincoln community - faculty, staff, students and affiliates. By understanding the differences between types of data it is possible to understand their different requirements and how to protect data appropriately. Treating different types of data responsibly, in accordance with any specific needs, allows us to focus our resources and investments where they will do the most good.
  3. Data security guidelines (definitions)
    1. Low-Risk Data
      Low-Risk Data consists of institutional data that has been intentionally released to the public by a person with authority to do so and (or) a class of data defined as part of the public record. There may be copyright, Creative Commons or other expectations placed on the data, but it is generally available for public consumption.
    2. Medium-Risk Data
      Medium-Risk Data consists of data that is not protected by regulatory requirements, but should be protected from public view. This data might include (but is not limited to) academic, research, athletic, public service or administrative data that is restricted for reasons related to public or individual safety, competition, ongoing development or is otherwise sensitive in nature.
    3. High-Risk Data
      Confidential data is strictly protected by federal, state, university, professional code or other binding regulation. Any data that could, by itself or in combination with other such data, be used for identity theft, fraud or otherwise open the University to liability should be treated as High-Risk.
  4. Responsible use requirements
    General computer use policies at UNL are supported by this document. More specific recommendations and best practices will be established and updated by the UNL Information Security Office.
  5. Legally mandated or authorized release
    This document does not address legal or authorized release of data. Information is subject to applicable legal requests such as the Clery Act, Freedom of Information Act or subpoena.
  6. Individual responsibility
    Each member of the UNL community is individually responsible for ensuring that data is maintained responsibly and within recommended guidelines.
  7. Additional resources
    Situations may arise for which additional advice may be required. The UNL Information Security Office, Internal Audit, the Office of the General Counsel or business or academic unit leadership should be consulted as appropriate (this document is a guide and not definitive policy). Training on data security has been licensed for UNL and is available  within the SANS “Securing the Human” video-based training modules.