Information Classification and Handling Standard - Section B

B. Classification Levels

The California State University (CSU) has identified three classification levels that are referred to as Level 1, Level 2, and Level 3. Although all the enumerated information values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values. All University information should be reviewed on a periodic basis and classified according to its use, sensitivity and importance to the University and in compliance with Federal and/or State laws. The level of security required will depend in part on the effect that unauthorized access or disclosure of those data values would have on University operations, functions, image or reputation, assets, or the privacy of individual members of the University community.

Each level will have a defined risk/sensitivity category indicating the potential harmful impact to the university if the integrity of that resource is compromised:

  • High - An unauthorized disclosure, compromise or destruction would result in severe damage to Cal Poly, its students, or employees. Violation of statutes, regulations, or other legal obligations, financial loss, damage to Cal Poly’s reputation, and possible legal action could occur.
  • Moderate - An unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Cal Poly, its students, or employees. Financial loss, damage to Cal Poly’s reputation, and possible legal action could occur.
  • Low - Knowledge of this information does not expose Cal Poly to financial loss, or jeopardize the security of Cal Poly’s information assets.

Classification Level 1: Confidential

Confidential information is maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws or classified as confidential by Cal Poly. Confidential information is information whose unauthorized disclosure, compromise or destruction would result in severe damage to Cal Poly, its students, or employees. Financial loss, damage to Cal Poly’s reputation, and possible legal action could occur. Level 1 information is intended solely for use by Cal Poly employees, its auxiliary employees, contractors, and vendors covered by a confidentiality-security agreement with a business need-to-know. Statutes, regulation, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information.

Risk/Sensitivity:

High

Examples of Level 1 Information Include:

Personally Identifiable Information (PII)

  • Passwords or login credentials that grant access to level 1 and level 2 data
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Driver’s license number, state identification card number, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number (both complete and last 4 digits) and name
  • Biometric information (e.g.: fingerprint, voice recording, palm print, iris scan, DNA)
  • Email addresses/username with password or security question responses
  • Electronic or digitized signatures
  • Private key (digital certificate)

Financial Information

  • Credit card numbers with cardholder name
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Tax ID with name

Health Information

  • Health insurance information
  • Medical records related to an individual
  • Psychological Counseling records related to an individual

Law Enforcement Information

  • Law enforcement personnel records
  • Criminal background check results
  • Law enforcement records related to an individual
  • Vulnerability/security information related to campus law enforcement operations

Classification Level 2: Internal Use Only

Internal Use Only is information which must be protected due to proprietary or privacy considerations. Although possibly not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss, damage to Cal Poly’s reputation, violate an individual’s privacy rights or legal action could occur. Level 2 information is intended for Cal Poly employees, its auxiliary employees, contractors, and vendors covered by a confidentiality-security agreement with a business need-to-know.

Risk/Sensitivity:

Moderate

Examples of Level 2 Information Include:

Identity validation keys

  • Birth date (full: mm-dd-yy)
  • Birth date (partial: mm-dd only)

Employee Information

  • Home or mailing address
  • Birthplace (City, State, and if not USA, Country)
  • Employee identification (EmplID)
  • Employee net salary
  • Employment history
  • Mother’s maiden name
  • Personal telephone numbers
  • Personal email address
  • Parents and other family members’ names
  • Emergency contact names and telephone numbers
  • Payment history
  • Employee evaluations
  • Pre-employment background investigations
  • Race and ethnicity
  • Gender
  • Marital status
  • Personal characteristics (e.g., hobbies)
  • Physical description
  • Photograph (taken for identification purposes)

Student Information

  • Educational records of individual students (Excludes directory information such as name mailing address, preferred telephone listing, e-mail address, major, etc.  Refer to specific FERPA information for details about directory information).
    • Student identification (EmplID)
    • Home or mailing address
    • Personal telephone numbers
    • Personal email address (excludes Cal Poly username@calpoly.edu)
    • Ethnicity
    • Gender
    • Birthplace
    • Grades
    • Courses taken
    • Schedule
    • Test Scores
    • Advising records
    • Educational services received
    • Disciplinary actions    
  • Non-directory student information may not be released except with Office of the Registrar’s approval and only under certain prescribed conditions.

Facilities Information

  • Construction drawings of existing campus buildings
  • Maps of Campus utility systems
  • Other detailed drawings of sensitive campus facilities 

Legal Information

  • Campus attorney-client communications
  • Legal investigations conducted by the University
  • Settlements and claims against the University
  • Accident reports and investigations

Library Information

  • Linking a library user with the specific subject which the library user has requested information or materials.
  • Registration records related to an individual patron information
  • Circulation records related to an individual borrowing particular books and material

Purchasing and Accounts Payable Information

  • Sealed bids prior to award
  • Identifiable information (purchase order) of the supplier/company

University Donor Information

  • Name
  • Home or mailing address
  • Personal telephone numbers
  • Personal email address
  • Donation if request is for anonymous gift/donation

University Research

  • Trade secrets or intellectual property such as research activities
  • Information covered by a specific non-disclosure agreement

Technical Security Information

  • Vulnerability/security information related to a campus or computer information system

Other Information

  • Location of critical or protected assets
  • Licensed software

Classification Level 3: Publicly Available

Publicly Available is explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on- and off- campus (e.g., an employee’s work email addresses), or defined in the California Public Records Act or not specifically classified elsewhere in the protected information classification standard.  Knowledge of this information does not expose Cal Poly to financial loss, or jeopardize the security of Cal Poly’s assets.  Publicly Available information may be subject to appropriate campus review, facilities’ procedures, employee’s procedures, or student’s procedures to mitigate potential risks of inappropriate disclosure.

Risk/Sensitivity:

Low Risk

Examples of Level 3 Information Include:

Campus Identification Keys

  • Cal Poly User Name (do not list in a public or a large aggregate list, protection of spam)

Note:  If a student has requested confidentiality via the Cal Poly Portal this information is no longer public for that student (this is commonly known as setting their FERPA flag)..

Employee Information

  • Employee title
  • Employee public email address
  • Employee work location and telephone number
  • Employing department
  • Employee classification
  • Employee gross salary
  • Name (first, middle, last) (except when associated with protected information)
  • Signature (non-electronic)

Financial Information

  • Financial budget information
  • Purchase order information

Student Information (Directory Information)

  • Name
  • Major Field of Study
  • Participation in officially recognized sports/activities
  • Weight and Height of athletic team members
  • Dates of Attendance
  • Full or Part-time status
  • Degrees and awards received
  • Campus E-mail address
  • Most recent or previous college/university/agency attended

Note:  If the student has requested confidentiality via the Cal Poly Portal this information is no longer public for that student (this is commonly known as setting their FERPA flag).


Continue to Section C | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips