This procedure assists University community members and data users in identifying the appropriate security level for an IT resource that stores, processes, transmits, accesses, or has the ability to impact the security of the data.
This includes all University owned devices, vendor solutions, and personally owned devices used for University business. The security level combines the data security classification (confidentiality) with the need to protect the integrity, and availability of the data. The security levels being used for new computers are High and Medium. The security level is used in the Information Security standards to determine whether a security control is required, recommended, or optional at that level.
Note that for specific compliance areas (e.g., HIPAA, PCI DSS, FISMA) additional controls beyond those specified in the standards may apply. Contact the appropriate Compliance Officer for details.
Procedure and Security Level Tables
The general procedure to assign a security level to a computer is determined by University Information Security (UIS) and is outlined in a respective policy. The following steps are an overview and should not be used to replace the UIS policy, below.
- Identify the type of IT Resource.
- Identify the Data Security Classification.
- Identify the Security Level.
- Review the Security Level with the Data Owner.
Refer to the University Policy Library's Identifying Security Level policy to properly classify a given device's Security Levels.
The Policy Library is the official source of information for this subject; as such, tables are not duplicated on this page.