ÑÇÖÞÓ°Ôº

To apply security measures in the most appropriate and cost-effective manner, data (regardless of format) must be evaluated and assigned a Data Classification Level (DCL). The DCL of the data establishes the extent and type of information security measures that must be implemented. 

The security requirements set forth are high-level requirements that establish the minimum standards that must be followed for each DCL. 

Exceptions & Other Considerations  

Exceptions to the standards may be required due to budget, functional or technology limitations. Exceptions must be approved and documented by the Information Security Office at each business unit. 

Exceptions also must be eliminated as soon as is reasonably possible. 

The value or criticality of the information asset must also be considered when assigning a DCL. For example, a system may hold data that is only classified as DCL1 but concerns about data integrity or the value of the asset to the University may justify managing the asset at a higher DCL. 

The primary public website for each business unit might be an example of this situation. Data custodians and data stewards should work together to classify and manage the information assets for which they are responsible, based on a thorough understanding of each asset's overall value.