In order to apply security measures in the most appropriate and cost effective manner, data (regardless of format) must be evaluated and assigned a Data Classification Level (DCL). The DCL of the data establishes the extent and type of information security measures that must be implemented.
The security requirements set forth are high level requirements that establish the minimum standards that must be followed for each DCL.
Exceptions and Other Considerations
Exceptions to the standards in this document may be required due to budget, functional or technology limitations. Exceptions must be approved and documented by the Information Security Office at each business unit. Exceptions must also be eliminated as soon as is reasonably possible.
The value or criticality of the information asset must also be taken into consideration when assigning a DCL. For example, a system may hold data that is only classified as DCL1 but concerns about data integrity or the value of the asset to the University may justify managing the asset at a higher DCL. The primary public web site for each business unit might be an example of this situation. Data custodians and data stewards should work together to classify and manage the information assets for which they are responsible based on a thorough understanding of the overall value of the asset.