Research Security Requirements–Data Classification


Overview

Data Classification At the University of Michigan, all data gets classified into four classification levels: Restricted, High, Moderate, and Low. This level determines what information security requirements are needed for particular projects or investments. For example, High data requires an extensive questionnaire called a CORL for any vendors involved. Moderate data only requires a short Vendor Security Questionnaire. Learn more about the data classification levels. Learn more about the information security requirements for each classification. Data Types Sensitive data is also broken down into different data types, mostly based around legal requirements. These are the more familiar terms like HIPAA, FERPA, and FISMA. Each data type has a designated data steward that is responsible for a number of things:* Assigning an appropriate classification for their respective data areas based on their sensitivity and criticality Approving standards and procedures related to day-to-day administrative and operational management of the data Determining the appropriate criteria for obtaining access. Data stewards have approved a number of university services for their data types. You can find which services are approved for which data types in the Sensitive Data Guide. Note that some services have specific instructions for using them with certain data types. For example, when using Dropbox for storing PHI, you must use a Dropbox Team Folder. Note that the different data types all have a data classification still. For example, Sensitive Identifiable Human Subject Research is High, so it still requires many of the same protections as PHI. Learn more about the Sensitive Data Guide. *https://it.umich.edu/governance/data-governance/data-stewards How to request a data classification Before beginning any Information Assurance: Michigan Medicine approval processes, you need to know your data classification. You can submit a data classification request by filling out this form.

 

10.25-KB0020283-button-laptops-right.jpg

Data Classification

folders

 

At the University of Michigan, data is categorized into four levels—Restricted, High, Moderate, and Low. These classifications determine the security requirements for projects or investments. For instance, data classified as High requires a detailed vendor security risk questionnaire, whereas Moderate data does not.

Learn more about the data classification levels.

Learn more about the information security requirements for each classification.

Learn more about Research Security and Compliance.

Learn more about Data Security & Privacy Sharing.

Learn more about Security and Privacy Controls for Information Systems and Organizations

Data Types

Sensitive data at the University of Michigan is further divided into specific data types, largely based on regulatory requirements. These are commonly recognized categories such as Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Controlled Unclassified Information (CUI) and Federal Information Security Management Act (FISMA). Each data type has a designated university data steward responsible for governance, which includes:

  • Assigning the appropriate classification based on sensitivity and criticality
  • Approving standards and procedures for the day-to-day management of the data
  • Defining the criteria for access

document

For example, the Michigan Medicine Corporate Compliance office serves as the data steward for HIPAA data. They alone have the authority to determine whether data qualifies as Protected Health Information (PHI) and to approve which technologies may be used with it.

Data stewards also approve specific university services for their data types. These approvals are listed in the Sensitive Data Guide, which also outlines special usage requirements. For instance, when storing PHI in Dropbox, you must use a Dropbox Team Folder.

It’s important to note that all data types still fall under a classification level. For example, Sensitive Identifiable Human Subject Research is classified as High, which means it requires many of the same safeguards as PHI.

Learn more about the Sensitive Data Guide.

Learn more about data stewardship at the university and who the data stewards are.

How to classify your data

Before entering the assurance process, it is essential to classify your data to determine the appropriate level of protection, security controls, and approval requirements. Determining the Data Classification Level helps identify potential risks and ensures that the right safeguards are applied based on the sensitivity of the information—whether it involves public, internal, sensitive, or restricted data. This step lays the foundation for an efficient and accurate Information Assurance: Michigan Medicine review, helping to protect both the institution and its researchers.

You can determine your data classification by using this guide.

If you need help classifying PHI, then submit a request here.

overview