Data Classification
The CSU system uses four data classification levels based on access, privacy, security standards and the risks associated with improper use. Data must be classified at the highest level based on the risk of improper use and may have only one classification, as levels are mutually exclusive.
All data users are responsible for the use and protection of system and institutional data throughout its lifecycle. Data handling must comply with the System Information Security Policy and any other applicable System or Institutional policies, standards, procedures, or other guidance regarding data security and data privacy.
The System uses four data classification levels based on the nature of the data and the risks
associated with improper use, which are set forth in this section.
Classification Levels
Level 1 (Public)
Access: Data are intended for broad use within the System or for public use.
Risk: Improper use of Level 1 Data results in low or no risk to the System, its Institutions, or individuals. Level 1 Data must be given normal security protection to prevent improper use.
Examples: Examples of Level 1 Data include, but are not limited to, student Directory Information as defined by the Family Educational Rights and Privacy Act, course catalogs, financial audits, position vacancies with salary ranges, faculty education/degrees, and press releases.
Level 2 (Internal)
Access: Level 2 Data are intended for somewhat limited use within the System and/or any of its Institutions. Level 2 Data have controlled access mechanisms such as supervisor approval and may be distributed only in accordance with the Principle of Least Privilege
Risk: Improper use of Level 2 Data results in moderate risk to the System, its Institutions, or individuals, including social, psychological, reputational, financial, and legal harm. Level 2 Data must be given heightened security protection to prevent improper use or disclosure.
Examples: Examples of Level 2 Data include, but are not limited to, internal memos and other internal documents, draft reports or scholarly writings, marketing or other promotional information (before authorized release), floor plans, and embargoed rankings.
Level 3 (Confidential)
Access: Level 3 Data are intended for more limited use within the System and have controlled access mechanisms with additional data access controls, such as approvals from supervisors and Data Stewards. Level 3 Data or above should not be distributed to or accessed by agents outside the System on its behalf without explicit approval by the Data Governance
Steering Committee.
Risk: Improper use of Level 3 Data results in considerable risk to the System, its Institutions, or individuals, including social, psychological, reputational, financial, and legal harm. Level 3 Data must be given high security protection to prevent improper use or disclosure.
Examples: Examples of Level 3 Data include, but are not limited to, personnel records, donor information, passwords, assessment data, and any PII not classified as Level 4.
Level 4 (Restricted)
Access: Data intended for extremely limited use within the System and have strictly controlled access mechanisms. Secondary support from a supervisor and data trustees is also typically required.
Risk: Improper use of Level 4 Data results in severe risk to the System, its Institutions, or individuals, including civil and criminal penalties, loss of funding, and eliminating the ability for future funding or partnerships. Level 4 Data must be given the highest security protection to prevent improper use or disclosure.
Examples: Examples of Level 4 Data include but are not limited to, biometric Data, Controlled Unclassified Information Data, Criminal Justice Information Services Data, individually identifiable financial information (e.g., bank account numbers, credit card/debit card numbers, account balances, etc.), government-issued identification and related numbers (e.g., passport, driver’s license, national identification number, national identity card, Social Security Number, taxpayer identification numbers, visa numbers, etc.), and any other information with federal security compliance requirements.