Information Classification and Handling Standard - Section C
C. Designation of Classification Levels
The responsibility for determining the appropriate classification level is shared by the campus and the Senior Director of Information Security, within the Office of the Chancellor.
- The Senior Director of Information Security, within the Office of the Chancellor, has designated what information will be classified as Level 1 and reviews the requirements for the protection of Level 1 information on a periodic basis.
- The campus will designate Information Authorities responsible for the oversight of Information Protection policies. This designation will be maintained in a separate document.
- Information Authorities will review University information on a periodic basis and classify it according to its use, sensitivity and importance to the University.
- Part of the classification process will include determining the appropriate Information Authority to provide oversight.
- Information Authorities will evaluate and ensure that information below Level 1 has been classified properly according to university and regulatory requirements, and guidance from the Campus Information Security Office.
- Information Classification Standards will be reviewed on a periodic basis by the Information Security Office.
- The Information Authorities can elect to move or add data elements from Level 2 to Level 3 or from Level 3 to Level 2.
- The Information Authorities can elect to move or add data elements from Level 2 and 3 to Level 1, that is, a data element classified as Level 2 can be moved to a Level 1 classification.
- The Information Authorities cannot elect to move CSU designated data elements from Level 1 to a lower level with less protection requirements than the CSU designates.
- Aggregates of data should be classified based upon the most secure classification level. That is, when data of mixed classification exist in the same file, screen/view, document, report or memorandum, the classification of that file, screen/view, document, report or memorandum will be of the highest applicable level of classification.
