Skip to Main Content
Information Technology Services

Standard 9: Data Classification

  1. All data owners, data stewards, or designated custodians, shall be responsible for classifying data stored, processed, or transmitted by systems under their purview based on data sensitivity and risk so that the appropriate security controls can be applied.
  2. The Data Classification Standard shall be used to classify data.
    1. Systems storing University data will be assessed annually in a campus-wide risk assessment where each system is classified based on the data it is associated with.
    2. All restricted data must be encrypted at rest. Any restricted data found on file servers, workstations, removable media, or other non-encrypted storage should be removed or encrypted using encryption technology supported by UNF. (VeraCrypt, etc.)
    3. All restricted data access must be audited at least annually using the data access governance system.
  3. Classification Responsibility. Owners of information resources within UNF must classify data based on the UNF Data Classification Standard and shall ensure the classification is properly maintained in the event the data classification changes.
  4. The UNF Data Classification Standard consists of three mutually exclusive data classifications. Decisions on classifying data must fit within a spectrum indicating the degree to which access to the data must be restricted and data integrity and availability must be preserved. The three classifications (Public, Internal Use, Restricted) are summarized in the UNF Data Classification and Security Policy.