This procedure assists University community members and data users in identifying the appropriate security level for an IT resource that stores, processes, transmits, accesses, or has the ability to impact the security of the data.
This includes all University owned devices, vendor solutions, and personally owned devices used for University business. The security level combines the data security classification (confidentiality) with the need to protect the integrity, and availability of the data. The security levels are High, Medium, or Low. The security level is used in the Information Security standards to determine whether a security control is required, recommended, or optional at that level.
Note that for specific compliance areas (e.g., HIPAA, PCI DSS, FISMA) additional controls beyond those specified in the standards may apply. Contact the appropriate Compliance Officer for details.
Procedure and Security Level Tables
The general procedure to assign a security level to a computer is determined by University Information Security (UIS) and is outlined in a respective policy. The following steps are an overview and should not be used to replace the UIS policy, below.