Sensitive university data must be protected from compromise, such as unauthorized or accidental access, use, modification, destruction, or disclosure. Classifying or labeling the data helps determine the minimum security requirements necessary to keep it safe.

The university has adopted the following data classification types:

  • Highly Confidential Information
  • Confidential Information
  • Public Information

The type of classification assigned to information is determined by the Data Trustee—the person accountable for managing and protecting the information’s integrity and usefulness.

Review the Data Classification Table for the types of data you access, handle, or store. (Be mindful this is not an exhaustive list of examples.) 

IMPORTANT: Regulated data such as HIPAA and Payment Card Industry (PCI) may have additional security requirements. If you access, handle, or store such data, contact your campus-specific IT department for more information.  

In order to fully understand the risk associated with a service, make sure to take into account both the data classification and impact.

Learn more about Adverse Impact
 

Data Classification Table

  Type Description Examples
  Highly Confidential This type includes data elements that require protection under laws, regulations, contracts, relevant legal agreements and/or require the university to provide notification of unauthorized disclosure/security incidents to affected individuals, government agencies or media.

Requirements when accessing, handling or storing:
  • When possible, use university-supported services or systems that have been approved for handling highly confidential data.
  • Only share with the people who are authorized to use it for legitimate business purpose; this includes verbal and written information.
  • Encrypt the data when sending or storing.
  • Ensure networks or systems used to handle or store the data have appropriate firewalls, monitoring, logging, patching, anti-malware, and related security controls.
  • Use university-provided computers when accessing or processing data. If this is not possible and you must use a personal computer, use remote desktop to connect to your university-provided computer.
  • Document the policy for data retention.
  • Contact your campus information security office to ensure protection of data if compensating controls are used to secure the data in place of the above mentioned controls.
  • Protected health data
  • Social security numbers
  • Payment card numbers
  • Financial account numbers: including university account numbers, student account numbers, and faculty and staff direct deposit account numbers
  • Driver's license numbers
  • Level 4 and 5 of student data (See Use Guidelines for Student Data)
  • Grievances/disciplinary action records
  • Research, proposals, research plans, and results subject to International Traffic in Arms Regulations/Export Administration Regulations (ITAR/EAR)
  • Controlled Unclassified Information (CUI)
  Confidential This type includes data elements usually not disclosed to the public but are less sensitive than highly confidential data. If a legally required and applicable Colorado Open Records Act (CORA) request is submitted, these records may be released.

Requirements when accessing, handling or storing:
  • Only share with the people who are authorized to use it for legitimate business purpose; this includes verbal and written information.
  • Ensure networks or systems used to handle or store the data have appropriate firewalls, monitoring, logging, patching, anti-malware, and related security controls.
  • Use university-provided computers when accessing or processing data. If this is not possible and you must use a personal computer, use remote desktop to connect to your university-provided computer.
  • Faculty and staff personnel records, benefits, salaries, performance evaluations, and employment applications
  • University insurance records
  • Donor contact data and non-public gift amounts
  • Fundraising data
  • Non-public policies
  • Internal memos and email, and non-public reports
  • Purchase requisitions, cash records, budgetary plans
  • Non-public contracts
  • University and employee ID numbers
  • Level 2 and 3 of student data (See Use Guidelines for Student Data)
  • Research proposals
  • Research plans and results
  • Internal/unpublished business documents
  Public This type includes any data on university websites to which the data trustee allows access without authentication and data made freely available through university print material.
  • Directory data
  • Public policies
  • Published business documents