Information Classification and Handling Standard - Section C

C. Designation of Classification Levels

The responsibility for determining the appropriate classification level is shared by the campus and the Senior Director of Information Security, within the Office of the Chancellor.

  • The Senior Director of Information Security, within the Office of the Chancellor, has designated what information will be classified as Level 1 and reviews the requirements for the protection of Level 1 information on a periodic basis.
  • The campus will designate Information Authorities responsible for the oversight of Information Protection policies. This designation will be maintained in a separate document.
  • Information Authorities will review University information on a periodic basis and classify it according to its use, sensitivity and importance to the University.
  • Part of the classification process will include determining the appropriate Information Authority to provide oversight.
  • Information Authorities will evaluate and ensure that information below Level 1 has been classified properly according to university and regulatory requirements, and guidance from the Campus Information Security Office.
  • Information Classification Standards will be reviewed on a periodic basis by the Information Security Office.
  • The Information Authorities can elect to move or add data elements from Level 2 to Level 3 or from Level 3 to Level 2.
  • The Information Authorities can elect to move or add data elements from Level 2 and 3 to Level 1, that is, a data element classified as Level 2 can be moved to a Level 1 classification.
  • The Information Authorities cannot elect to move CSU designated data elements from Level 1 to a lower level with less protection requirements than the CSU designates.
  • Aggregates of data should be classified based upon the most secure classification level. That is, when data of mixed classification exist in the same file, screen/view, document, report or memorandum, the classification of that file, screen/view, document, report or memorandum will be of the highest applicable level of classification.

Continue to Section D | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips