Research Security Requirements–Data Classification


Overview

Data Classification At the University of Michigan, all data gets classified into four classification levels: Restricted, High, Moderate, and Low. This level determines what information security requirements are needed for particular projects or investments. For example, High data requires an extensive questionnaire called a CORL for any vendors involved. Moderate data only requires a short Vendor Security Questionnaire. Learn more about the data classification levels. Learn more about the information security requirements for each classification. Data Types Sensitive data is also broken down into different data types, mostly based around legal requirements. These are the more familiar terms like HIPAA, FERPA, and FISMA. Each data type has a designated data steward that is responsible for a number of things:* Assigning an appropriate classification for their respective data areas based on their sensitivity and criticality Approving standards and procedures related to day-to-day administrative and operational management of the data Determining the appropriate criteria for obtaining access. Data stewards have approved a number of university services for their data types. You can find which services are approved for which data types in the Sensitive Data Guide. Note that some services have specific instructions for using them with certain data types. For example, when using Dropbox for storing PHI, you must use a Dropbox Team Folder. Note that the different data types all have a data classification still. For example, Sensitive Identifiable Human Subject Research is High, so it still requires many of the same protections as PHI. Learn more about the Sensitive Data Guide. *https://it.umich.edu/governance/data-governance/data-stewards How to request a data classification Before beginning any Information Assurance: Michigan Medicine approval processes, you need to know your data classification. You can submit a data classification request by filling out this form.

 

secure laptops and desktops

Data Classification

folders

 

 

At the University of Michigan, all data gets classified into four classification levels: Restricted, High, Moderate, and Low. This level determines what information security requirements are needed for particular projects or investments. For example, High data requires an extensive vendor security risk questionnaire, while Moderate data does not.

Learn more about the data classification levels.
Learn more about the information security requirements for each classification.

 

 

Data Types

Sensitive data is also broken down into different data types, mostly based around regulatory requirements. These are the more familiar terms like HIPAA, FERPA, and FISMA. The university has designated data stewards for these different data types. The data stewards provide governance around their assigned data types, including but not limited to:

document
  • Assigning an appropriate classification for their respective data areas based on their sensitivity and criticality
  • Approving standards and procedures related to day-to-day administrative and operational management of the data
  • Determining the appropriate criteria for obtaining access.

For example, the data steward for HIPAA data is the Michigan Medicine Corporate Compliance office. They determine if data is PHI or not and decide what technology can be used with PHI. No one else has the authority to do this. 

Data stewards have approved a number of university services for their data types. You can find which services are approved for which data types in the Sensitive Data Guide. Note that some services have specific instructions for using them with certain data types. For example, when using Dropbox for storing PHI, you must use a Dropbox Team Folder.

Note that the different data types all have a data classification still. For example, Sensitive Identifiable Human Subject Research is High, so it still requires many of the same protections as PHI.

Learn more about the Sensitive Data Guide.
Learn more about data stewardship at the university and who the data stewards are.


How to request a data classification

Before beginning any Information Assurance: Michigan Medicine approval processes, you need to know your data classification.

You can submit a data classification request by filling out this form.

overview