University of Washington
Administrative Policy Statements		 June 27, 2008 2.10.1

Table of Contents

1. Background

2. Data Classification and Examples

3. Controls for Protection of Data

4. Protective Measures for Data

5. Exemptions

6. Reporting

7. Enforcement

8. Additional Information
      

Minimum Data Security Standards:
Data Classification and Related Measures of Protection

(Approved by the Provost and Executive Vice President by authority of Executive Order No. 4, Senior Vice President for Finance and Facilities by authority of Executive Order No. 5, and the Vice President of UW Technology by authority of Executive Order No. 63)


1.   Background
a. Context for the Minimum Data Security Standards

The University of Washington (UW) solicits, acquires, generates, and maintains a large amount of electronic information. In addition, the UW often enters into relationships with third parties who, as an aspect of the relationship, maintain electronic information. The UW is often legally required and frequently otherwise desires for privacy reasons, to limit access to, and to the limit the distribution and disclosure of, electronic information.

This document describes standards that are specific to the protection of UW information assets in electronic form (data). The intent of these standards is to support existing UW policy and information protection objectives by defining a minimum set of security standards that also support the UW's compliance requirements.

Proper protection of data is determined by a combination of compliance requirements mandated by state and federal government statutes and regulations, accepted best practices, and institutional risk management decisions. The approach taken at the UW is to adopt a classification scheme for all data and to define measures and practices that provide appropriate protection for each class of data.
b. Purpose

Minimum Data Security Standards describe the minimum standards the UW will strive to achieve, in appropriate circumstances, to limit access to, and to limit the distribution and disclosure of, electronic information. This standard should be read and applied in conjunction with the policy statement it serves, APS 2.1, "UW Information Systems Security," and a companion Security Standard, the UW Minimum Computer Security Standards. Together, these three documents strive to prevent:

  • Unauthorized internal access to electronic information.
  • Unauthorized external access to electronic information.
  • Illegal or otherwise inappropriate use of UW electronic information.
  • Loss, corruption, or theft of UW electronic information.
c. Applicability

This minimum data security standard applies to all data associated with UW business; to any other data caches covered by statutory or regulatory compliance requirements that are found in all UW colleges, schools, departments, and other business units; and to data caches on UW affiliates' information systems. Data associated with UW hosted research efforts that represent significant intellectual property interests also are subject to this standard, and, in addition, may be subject to other specific protective requirements.

Any questions about the applicability of this standard can be forwarded to the UW Chief Information Security Officer (CISO) for review by the Privacy Assurance and Systems Security (PASS) Council.
d. Audience

The targeted audience for this standard includes all UW system owners and designated data custodians (see Definitions from APS 2.1, "UW Information Systems Security"). It is also for all individuals who have access to and use UW information systems and data assets.

Return to Table of Contents


Top of Page