IT-2 University of Maryland Data Classification Standard


The IT Council approved the classification of data into four categories. Please see this PDF for details on the four classification levels and examples of data for each level.

What is Data Classification?

Data Classification is the foundation of UMD’s risk-based approach to protection of data and systems. Data classification assesses the expected risk of harm to an individual, groups, projects, or the University if the data/system were subject to unauthorized access, use, alteration, or disclosure.

What "harms" does data classification address?

In the context of data classification, harms may include negative psychological, reputational, financial, personal safety, legal, and others. It is important to note that UMD’s approach to analyzing harms does not only include financial repercussions to the University (or individuals). In considering the risk level a data set represents, it is just as important to consider the impact an unauthorized disclosure may have on the individual that is the subject of the data.

Why does data classification matter?

The classification of data determines the baseline security protections and controls that must be in place to protect a data set or information system. This may include security standards for physical and logical access controls, procedures and processes, and the level of review for third parties interacting with the data. Understanding the risk associated with data helps UMD balance protection of the confidentiality, integrity, and availability of data with the need to accomplish UMD’s academic, research, and service missions. Data users should keep in mind that the minimum security controls required increase as classification level moves from low to moderate to high to restricted. The key objective in identifying the classification level is to make a risk-based determination of what security controls to implement so that appropriate, but not excessive, protections are in place.

Who is responsible for data classification?

Ultimately, the individuals responsible for data classification are those that create, receive, or otherwise use a data set. Data users are often the best situated to understand the specific risks their data poses.

What questions should I consider in determining the risk level of my data?

Data classification is a straightforward, but not always simple, analysis of a handful of considerations. While these are not necessarily the only questions to be asked, the following questions provide a basic starting point:

Is all individually identifiable information (aka PII) a particular risk level?

No. While the identifiability of a data set may impact the risk it represents to an individual, the risk of harm analysis also considers the nature of the underlying data. For example, data generated for a study examining preferred flavors of ice cream could be directly identifiable (name, address, etc), but there is no significant risk of harm in knowing an individual’s favorite flavor of ice cream. On the other hand, data generated for a study on opioid use would represent a significant risk to the individuals involved in the study if they were identified. Further, legal requirements (ex., contracts) may require treating an otherwise de-identified data set as though it were high-risk data.

What if something fits within the Low or Moderate Data Classification categories, but there are contracts/laws/etc that require extra security measures?

If a contract, law, or other legal obligation requires certain security measures, those measures must be put in place regardless of what Data Classification category may have otherwise been appropriate for the data set.

Who do I contact if I have a question about Data Classification/how to classify my data/what harm might mean?

DIT is available to help with any data classification questions. You can email itcompliance@umd.edu, and we’ll work with you to determine the classification level of your data.

What if I disagree with DIT’s analysis of my data’s risk?

If you believe your data represents a higher risk than DIT’s understanding, you can elect to treat your data as though it were a higher level of risk. However, if you request that your data set be classified as High or Restricted, the security controls required for that level of classification must be in place for at least 1 year prior to re-review. If you believe your data represents a lower risk than DIT’s understanding, DIT will work with you to better understand your data. However, DIT is responsible for making the final decision as to the level of risk data represents.

What are the next steps after I have classified my data?

The Classification of data determines the security controls that must be put in place to protect it. There are many tools, services, and advice that DIT provides to assist in complying with these requirements, and your local IT and/or research administration staff may be able to direct you to pre-approved tools or services for specialized needs. For more information, see the list of DIT approved services. DIT’s Compliance team can be reached for additional assistance at it-compliance@umd.edu

How do I safeguard Data ?

The Data Risk Guide to Commonly Used DIT Services article outlines which commonly used services and systems are appropriate for various data types.

Q: How to securely transmit data?

The Securely Share Data and Files article outlines which commonly used services and systems are appropriate for various data types.