Data Classification Levels

Data is everywhere. We deal with it every day. It comes in all shapes and sizes, from the post-it note on the side of our computer monitors, student records in PeopleSoft, or an email from a manager, to the complex data set we use for our research.  It is important to realize that the data we deal with on a daily basis is classified by its content and the audience it can be shared with.  It is important to understand these classifications when deciding where to store the data and who it is shared with. This page gives details about the four levels of data classification used by the UM System and will give a brief overview of how to ensure that your storage device is encrypted.

 

S&T IT uses the Data Classification System as defined by UM System to determine how to classify data. There are four levels of classification: Public, Sensitive, Restricted, and Highly Restricted. 

 

The infographic defines the name of the four data classification levels and their examples.

 

DCL1 (Public) data is created for the public.  Information in the eConnection or on the IT website is public data and does not harm anyone or anything associated with it. You can store DCL1 data anywhere and share it with anyone because it is intended for a public audience.

 

DCL2 (Sensitive) data is not public and could be considered harmful if disclosed. There is no policy on the disclosure of DCL2 information. For example, there is no policy against the release of staff home phone numbers, but people would be very unhappy to find such a list available online. DCL2 data can be stored anywhere that is not publicly accessible, such as in cloud storage or saved on your computer's storage devices.  You can share DCL2 data in email.

 

DCL3 (Restricted) data is restricted from disclosure by regulations and policies. For example, FERPA protected data is DCL3 data, and accidental disclosure of this information can have very serious consequences for you and the University. DCL3 data can be stored on campus network storage, which you will hear referred to as the S&T S: and Y: drives.  IT Security recommends against storing DCL3 data on campus computers and discourages storing DCL3 on a laptop or unencrypted USB drive.  Laptops and unencrypted USB drives can easily get lost or stolen, and control of what happens to the data stored on them is also lost.

 

DCL4 (Highly Restricted) data is also restricted by regulations and policies that define unauthorized disclosure, but to a greater degree than DCL3 data.  Disclosing DCL4 data results in severe consequences.  An example of DCL4 data is Controlled Unclassified Information (CUI).  CUI pertains to data that is a part of government-funded research, and in the future will also include student financial aid information.  You should only store DCL4 data on approved cloud storage when given explicit permission to do so, or on encrypted hard drives. Check with the campus information security officer to make sure that any transfer or storage of DCL-4 data on cloud storage is approved.

 

It is important to note that you can store and share DCL3, DCL2, and DCL1 data on any storage or sharing method approved for DCL4.  When in doubt, use DCL4 approved storage and sharing methods for any data. However, if you do use the same storage method for different data classification levels, make sure not to combine them.  Do not put DCL1 and DCL 4 data in the same folders. Put them in different folders to avoid accidentally sharing the more restrictive data.

Lists which storage and transfer devices can be used to store different classifications of data

To help you understand this graphic:

  • DCL 1 data can be stored or transferred on any tool.
  • DCL 2 data must be stored or transferred on email, computer storage, S & Y drives, Google Drive, Microsoft Teams, encrypted emails, OneDrive, and encrypted hard drives.
  • DCL 3 data must be stored or transferred on Google Drive, Microsoft Teams, encrypted emails, OneDrive, and encrypted hard drives.
  • DCL 4 data must be stored or transferred on encrypted emails and encrypted hard drives and can ONLY be stored or transferred on Teams or OneDrive when given permission by the campus information security officer.

If you have further questions about your data’s classification level or how to safely store and share it, feel free to contact IT Security at security@mst.edu.

 

How do I know if my hard drive is encrypted?

Before storing sensitive data on a hard drive, it is important to make sure that the hard drive is encrypted. To check for hard drive encryption, open the settings app and search for "Bitlocker." Click on "Manage Bitlocker" and a new window will open. This window will show whether or not your hard drive is encrypted. If it is not encrypted and you have a need for encryption to be enabled, you may need to get approval from a supervisor, submit a ticket to the help desk, or acquire administrator privileges.

Shows the process of checking whether or not your hard drive is encrypted

If you are on a personal computer, open the settings app and search for "Bitlocker." Select "Device Encryption" to see whether or not your hard drive is encrypted. If it is not encrypted, select "Turn On" and follow the steps to turn on encryption.

Showing how to check for encryption on a personal computer not attached to the UMSystem

Another way to check for encryption is to open File Explorer, then go to "This PC" and see if there is a lock icon next over your hard drive. If there is a lock icon, your hard drive is encrypted.

Unencrypted hard drive icon:

Showing what an unencrypted hard drive looks like in file explorer (no lock icon)

Encrypted hard drive icon:

Showing what an encrypted hard drive looks like in file explorer (lock icon is present)