Classification of Information and IT Resources
Below are the classification levels from Part III, Section 8 of UC's Electronic Information Security policy, IS-3.
A systemwide workgroup has already classified many types of Institutional Information and IT Resources. For reference, please consult these guides below. If the use case under consideration is not covered, then use the Standard below to perform the classification.
- Classification Guide: Protection Levels for Institutional Information and IT Resources (pdf)
- Classification Guide: Availability Levels for Institutional Information and IT Resources (pdf)
The full classification standard is available here:
Illustrative sample of Protection Level classifications*:
| Protection Level Classification | |
|---|---|
| Level | Impact of disclosure or compromise |
| P4 - High | Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location or essential services. (Statutory.) |
| P3 - Moderate | Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. (Proprietary.) |
| P2 - Low | Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal.) |
|
P1 - Minimal |
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.) |
Illustrative sample of Availability Level classifications*:
| Availability Level Classification | |
|---|---|
| Level | Impact of loss of availability or service |
| A4 - High | Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level. |
| A3 - Moderate | Loss of availability would result in moderate financial losses and/or reduced customer service. |
| A2 - Low | Loss of availability may cause minor losses or inefficiencies. |
| A1 - Minimal | Loss of availability poses minimal impact or financial losses. |
*Consult the Protection Level and Availability Level Classification Guides for definitive classifications.