2.4 Data Classification & System Criticality Classification

quote block

USU data must be inventoried and classified according to a system that assesses the potential impact of unauthorized access, use, or alteration. This classification framework helps manage risks associated with various types of Institutional Information and supports critical functions such as compliance, information management, vendor oversight, and incident response. Each classification level considers potential impacts on individuals and the university, as well as legal, regulatory, and contractual obligations. While all individuals handling Institutional Information should be aware of its classification and associated safeguards, trustees and stewards must ensure that their teams implement and adhere to appropriate security measures. For more details, refer to the USU Data Classification and System Criticality Classification.

quote block
Related Policies:

Why

Utah State University (USU) manages a vast array of Institutional Information and IT systems that vary in sensitivity, regulatory requirements, and business impact. Without a structured classification system, data and system resources may be over- or under-protected, leading to compliance failures, increased security risks, and operational inefficiencies. This policy establishes a standardized framework to inventory, classify, and protect USU data and systems based on their criticality and sensitivity.

A well-defined Data Classification and System Criticality Classification process enables USU to:

  • Manage risk effectively by prioritizing security controls based on data sensitivity and system importance.
  • Ensure compliance with legal, regulatory, and contractual obligations, such as FERPA, HIPAA, and GDPR.
  • Support incident response by providing clear guidelines on how to handle compromised data based on its classification.
  • Enhance vendor oversight by ensuring third-party service providers apply appropriate security measures when handling university data.

By classifying Institutional Information and IT systems appropriately, USU ensures that security measures align with the potential impact of unauthorized access, use, or alteration. While all users must be aware of classification requirements, trustees and data stewards play a critical role in implementing and enforcing appropriate safeguards within their teams. This structured approach strengthens USU’s overall cybersecurity posture and ensures that data protection efforts are both efficient and effective.