Information Classification and Handling Standard


Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control. This document provides guidelines for the classification of information as well as its labeling, handling, retention and disposition.

A. Information Classification

Information classification is the process of assigning value to information in order to organize it according to its risk to loss or harm from disclosure. The Cal Poly information classification and handling standard establishes a baseline derived from federal laws, state laws, regulations, California State University (CSU) Executive Orders, CSU policies, and campus policies that govern the privacy and confidentiality of information.


This information classification and handling standard applies to:

  • All information or data collected, generated, maintained, and entrusted to Cal Poly and its auxiliary organizations (e.g., student, research, financial, employee data) except where superseded by grant, contract, or federal copyright law.
  • Information in electronic or hard copy form.

B. Classification Levels

C. Designation of Classification Levels

D. Security Controls for Classifications

E. Information Handling by Classification

F. Information Protection Roles and Responsibilities

G. Non-Compliance and Exceptions

Appendix A:  References and Legislative Resources


Effective Date: 9/1/2010
Review Frequency: Annual
Responsible Officer:

Vice Provost/Chief Information Officer

Information Security Officer

Revision History

Date Action Pages
07/14/2011 Updated Facilities classification levels Sec B
02/01/2011 Updated handling section for electronic mail of level 2 information to indicate that it may be sent by electronic mail to those who have a business need-to-know and are Cal Poly employees, its auxiliary employees, contractors or vendors who have signed a confidentiality-security agreement. Sec E
8/20/2010 Released final version for posting on the web and notified campus constituents All
5/20/2010 Reviewed and consulted with Information Resource Management Policy and Planning Committee (IRMPPC) All
4/21/2010 Reviewed and consulted with Administrative Advisory Committee on Computing (AACC) All
4/16/2010 Reviewed and consulted with Instructional Advisory Committee on Computing (IACC) All
3/3/2010 Reviewed and consulted with LAN Coordinators All
2/23/2010 Reviewed and consulted with Information Security Committee All
2/17/2010 Reviewed and consulted with Information Security Management Team All
1/26/2010-8/18/2010 Made additions and revisions for Cal Poly All
1/26/2010 Acquired source document from Cal Poly Pomona All


Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips