Overview

All forms of UC electronic Institutional Information and IT Resources must be labeled with Protection Levels and Availability Levels in the associated inventory/tracking tools based on the Location/Unit Risk Assessment. The retention period for Institutional Information must also be documented. Examples of Institutional Information include documents, records, video recordings, databases, log files and all other data in electronic form. Examples of IT Resources include personal and mobile computing devices, mobile phones, printers and other devices (both personally owned and UC-owned) that connect to any UC network.

https://policy.ucop.edu/doc/7000543/BFB-IS-3

Protection Levels

UC Institutional Information and IT Resources are classified into one of four Protection Levels based on the level of concern related to confidentiality and integrity. P4 requires the most security controls and P1 requires a minimal set of controls.

  • P4 - HIGH

    Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC: students, patients, research subjects, employees, guests/program participants, UC reputation related to a breach or compromise, the overall operation of the Location or operation of essential services. (Statutory.)

  • Building access systems
  • Certain types of Federal data (Pre-CUI) – like HIPAA data
  • Code signing certificates or keys.
  • Controlled Unclassified Information (CUI).
  • Controlled Technical Information (CTI) – this includes CTI and Covered Defense Information (CDI) DFARS 252.204-7012.
  • Credit card cardholder information.
  • Disability information or other medical information collected from students to provide services.
  • Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), 10 CFR Part 810 – Department of Energy – transfer of unclassified nuclear technology.
  • Financial aid information, student loans.
  • Financial, accounting, payroll information.
  • Human subject research data with individual identifiers, particularly identifiers listed in CA law.
  • Individually identifiable genetic information (human subject identifiable).
  • Information with contractual requirements for P4-level protection.
  • Passwords, PINs and passphrases or other authentication secrets that can be used to access P2 to P4 information or to manage IT Resources.
  • Personal Information (California Code) and/or Personally Identifiable Information (PII), when contained in large sets and when containing a comprehensive set of information about a person, is protected by regulation. Example 1: Information about a person’s workrelated accident that contains medical records. Example 2: GDPR special categories (Article 9 ‘sensitive’) of identifiers.
  • Private encryption keys
  • Protected Health Information (PHI) / patient records.
  • Research information classified as Protection Level 4 (P4) by an IRB or otherwise required to be stored or processed in a high-security environment.
  • Sensitive Identifiable Human Subject Research data
  • Social Security Numbers – subset of PII
  • P3 - MODERATE

    Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC: students, patients, research subjects, employees, community, reputation related to a breach or compromise; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. (Proprietary.)

  • Animal research protocols
  • Attorney-Client Privileged Information
  • Building entry records from automated key card systems
  • Certain types of federal data (Pre-CUI)
  • Export Controlled Research (ITAR, EAR)
  • IT security information, exception requests and system security plans
  • Personally Identifiable Information (PII) and Personal Data as defined in GDPR contained in large sets (Article 4)
  • Research information classified as Protection Level 3 (P3) by an Institutional Review Board (IRB)
  • Security camera recordings, body worn video system recordings, and cameras recording cash handling or payment card handling areas
  • Student education records
  • Student special services records. These records may contain information needed to provide services or plan accommodations, but for which the student has an expectation of privacy
  • UC personnel records
  • Video recordings
  • P2 - LOW

    Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal.)

  • Building plans and information about the university physical plant.
  • Calendar information that does not contain P3 or P4 information
  • De-identified patient information (with negligible re-identification risk)
  • Exams (questions and answers)
  • Meeting notes that do not contain P3 or P4 information
  • Patent applications and work papers, drafts of research papers
  • Research using publicly available data
  • Routine business records and email that does not contain P3 or P4 information
  • UC directory (faculty, staff and students who have not requested a FERPA block)
  • Unpublished research work and intellectual property not classified as P3 or P4
  • P1 - MINIMAL

    Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.)

  • Course catalogs
  • Hours of operation
  • Public event calendars
  • Public-facing websites with Institutional Information intended for unrestricted access
  • Published research

Availability Levels

All UC Institutional Information and IT Resources are also classified into one of four Availability Levels based on the level of business impact their loss of availability or service would have on UC. Compromises to A4 information or resources would cause the highest level of impact; compromises to A1 would cause a minimal level of service impact. A4 requires the most security controls, while A1 requires fewer security controls.

  • A4 - HIGH

    Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level.

  • Building access system
  • Building management system – access, HVAC, lighting, elevators
  • Directory Services – single sign-on (SSO)
  • Domain name servers (DNS)
  • Email
  • Medical devices
  • Medical records system
  • Financial, accounting and payroll systems
  • UC Path human resources management systems
  • Network (core services)
  • Supporting IT infrastructure that A4 systems rely upon for operation
  • A3 - MODERATE

    Loss of availability would result in moderate financial losses and/or reduced customer service.

  • Building management system – other
  • Clinical trial management system
  • Event ticketing systems
  • Point-of-sale (POS) systems
  • Public website
  • Ticketing or work management system (help desks, maintenance, etc.)
  • Time reporting system
  • Version management system
  • File servers supporting business operations
  • A2 - LOW

    Loss of availability may cause minor losses or inefficiencies.

  • Department website
  • Electronic sign board system
  • Front desk sign-in system
  • Student life management system
  • General file servers
  • A1 - MINIMAL

    Loss of availability poses minimal impact or financial loss.

  • Streaming systems (music and video)
  • Workstations
  • Laptops