- TTU
- IT Services for Researchers
- Researcher Handbook
- Initial Discovery
While the state definitions presented below are applicable to all institutional data, data collected for research often requires additional classification. Such additional classification examples, include:
- Vulnerable Populations
- Personal Health Information
- Review Types
All human subjects research must have TTU IRB approval.
Anonymous Versus Identifiable Data in the Research
For researchers, anonymous and identifiable data may have different degrees of identifiability. The TTU IRB can help you discern the degree of your data, and the appropriate classification and associated protections.
Data Types
Texas Department of Information Resources, Data Classification Guide
The proposed data classification scheme outlines four classification labels.
- Public – Information that is freely and without reservation made available to the public.
- Sensitive – Information that could be subject to release under an open records requests but should be controlled to protect third parties.
- Confidential – Information that typically is excepted from the Public Information Act.
- Regulated – Information that is controlled by a federal regulation or other third-party agreement.
Public
The Public information label is used for information such as published reports, press releases, and information published to the agency's public website. Such information requires no authentication and is freely distributable by all agency personnel. (TTU examples: Course Syllabi, Course Schedule)
Sensitive
Moving the Sensitive label, much of the information is still subject to public release under an open records request, but the information should be vetted and verified before release. These types of data include items such as employee records and gross salary information. While these records and information are considered "public" under the Texas Public Information Act, they should still be afforded a higher level of protection to ensure confidential data (e.g., net salary information) is not comingled. Many agencies will choose to release this type of information only through select employees who are familiar with the state and federal rules regarding disclosure. (TTU examples: Faculty Tenure Proceedings, Vendor Partner Proprietary Information)
Confidential
The Confidential label is used to identify information that is typically excepted from public disclosure, whether specified in law or through a decision by the Open Records division of the Texas Office of the Attorney General. Confidential data include information such as attorney-client communications, protected draft communications, and computer vulnerability reports. (TTU examples: Student, Faculty, and Staff personally identifiable information)
Regulated
The fourth label, Regulated, may or may not be applicable to an agency, based on its mandate, customers, and business operations. Regulated focuses on the types of data typically regulated by federal statute or third-party agreements. Agencies that maintain protected health, federal tax, payment card, or certain personal information will have specific requirements placed on that data by a non-Texas regulation. Therefore, regulated data has specific handling requirements that are unique to their regulations and do not apply to all agencies. (TTU examples: FERPA, COPPA, HIPAA)
Texas Department of Information Resources, Data Classification Guide
Executive Summary
Data classification is the process of categorizing data into various types, forms, sensitivity level, or any other grouping of similar characteristics. When a piece of information (e.g., a document, memo, or customer record) is created, the owner assigns a standard classification level which defines the prescribed handling requirements for that piece of information, among other things. Such categories dictate the controls necessary to best protect the confidentiality, integrity, and availability of the data.
Data classification makes securing data much more efficient, because it instantly identifies and communicates the minimum level of protection required for any piece of data as well as the audience that may view it. For example, a document that is classified as "confidential" is easily understood to require additional protections and controls.
The Office of the Chief Information Security Officer at the Texas Department of Information Resources (DIR) worked with a taskforce of agency stakeholders to develop a model data classification taxonomy for state agencies and institutes of higher education. The classification scheme is detailed separately from this guidance document. This document is meant to present the background, underlying assumptions, and logic behind the decisions the taskforce made in arriving at this model.
Background
Texas Administrative Code (TAC) Chapter 202 requires all agencies and institutions of higher education to classify their data.[1] However, TAC 202 does not explicitly define classification levels beyond the "confidential" category.[2] The lack of standardization in data classification schemes across the state creates challenges such as inefficiency in communications, discrepancies in controls applied between agencies, and in rare cases, a neglect to implement data classification policies and procedures entirely. To address these challenges, the Office of the Chief Information Security Officer (OCISO) worked with representatives from multiple state agencies to develop a baseline data classification scheme that can be adopted and modified to meet the varying needs of agencies and institutions of higher education.
Based on the experience of these representatives and their understanding of security standards and best practices, the OCISO proposes a simple classification scheme for all agencies to consider. The representatives based their classification scheme on current Texas law, both 1 TAC 202 and the Public Information Act, as well as the relevant federal standards (FIPS 199, NIST SP 800-59 and 800-60).
The labels used in this data classification scheme are in no way meant to subvert, contradict, supplant, or conflict with the Texas Public Information Act. In all cases, the public release of agency data is governed by the Texas Public Information Act and Chapter 552, Texas Government Code. The data classification scheme presented in this guide is intended to be a means to identify and address the safeguards, precautions, and handling requirements necessary to prevent accidental data disclosure.
[1] 1 TAC 202.24(b)(1): State agencies are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the appropriate controls for each.
[2] 1 TAC 202.1(5): Confidential Information – Information that must be protected from unauthorized disclosure or public release based on state or federal law (e.g., the Texas Public Information Act, and other constitutional, statutory, judicial, and legal agreement requirements).
Benefits of Classifying Data
Data classification is the basis for identifying an initial baseline set of security controls for information and information systems, which creates numerous benefits for the organization.
Effectively classifying data makes security decisions more efficient for employees, data owners, and IT staff, because it instantly identifies and communicates the level of protection required for any piece of data and who can access it. Establishing a common statewide vernacular can further amplify this efficiency through clear and non-ambiguous communication.
Appropriate data classification can also enable a more efficient use of IT capital. Specifically, data that has been categorized at a level requiring more protection can provide an objective justification for certain capital expenditures to help protect that data.
An organization can design its systems architecture with varying information sensitivity levels in mind if there is an awareness of the location, type, and handling requirements of the data. This may assist in achieving economies of scale with security services and protection through shared network and security zones. For example, an information system containing information protected by state privacy laws may be stored with other information systems containing similar sensitive information which are regulated by a third-party agreement.
Agency contingency and disaster recovery planning personnel can use the outputs of the data classification process to ensure that the infrastructure is sufficiently protected and that recovery efforts focus on high impact systems.
Finally, artifacts of a data classification process can also serve as inputs to Business Impact Analysis (BIA) reviews, Information Sharing and System Interconnection Agreements, and audit trails.
-
Address
Texas Tech University, 2500 Broadway, Lubbock, TX 79409 -
Phone
806.742.2011 -
Email
webmaster@ttu.edu
© 2024 Texas Tech University Oct 25, 20233:02 PM