About Data Classification

Effective January 3, 2017, U-M established new data classification levels designed to help determine the minimum security requirements for protecting data.

Classification Drives Appropriate Protection

Sensitive U-M data must be protected to prevent theft, unauthorized access, compromise, or inappropriate use (see Protect Sensitive Data). The level of protection is driven by legal, regulatory, academic, financial, and operational requirements, as well as the criticality and risk levels associated with the data.

Data classification:

  • Provides a framework for managing and securing university-owned or institutional data assets.
  • Helps determine what baseline security controls are appropriate for safeguarding data at each level. The higher the classification level, the more security controls are required.
  • Allows users to identify, understand, better manage, and employ an appropriate level of security for university-owned data.

In classifying sensitive data, the university:

  • Uses a risk-based approach to help faculty, researchers, staff, and students identify the data they use, understand its level of sensitivity, and learn how to best secure it.
  • Seeks to balance protection of the confidentiality, integrity, and availability of the data needed for U-M's academic, administrative, research, and clinical missions, recognizing the need for collaboration and sharing of knowledge across campus and the world.

See the Sensitive Data Guide for information about compliance requirements, and where to safely store sensitive data.

Roles and Responsibilities for Data Classification

U-M data stewards are primarily responsible for determining classification of data by category. It is important to account for federal and state laws and regulations that require the university to apply certain security safeguards to various sensitive data categories. Widely adopted industry standards, such as those that apply to credit card payments, also create additional requirements to be followed.

U-M data creators and owners (for example, principal investigators, researchers, administrative units) are responsible for determining the classification level for their specific data set(s) based on the levels assigned by data stewards for specific data categories or types. Data creators and owners should keep in mind that the minimum security controls required increase as classification level moves from low to moderate to high to restricted. The key objective in identifying the classification level is to make a risk-based determination of what security controls to implement, and not protecting data beyond what is appropriate.

Need Help Classifying Data?

Not sure how a specific data set should be classified? Questions or concerns about specific classifications should be directed to Information Assurance by contacting the ITS Service Center.