Data Governance and Classification Policy v3.10 Page 2 of 4
Public data. See Data Classification and Data Types for additional information and
examples.
• Controlled Unclassified Information (CUI): Controlled Unclassified Information
(CUI) is information that requires safeguarding or dissemination controls
pursuant to and consistent with applicable law, regulations, and government-
wide policies but is not classified under Executive Order 13526 or the Atomic
Energy Act. Export Controlled data is a subset of CUI. Export Controlled data often
comes as a specific clause within the Defense Federal Acquisition Regulation
Supplement (DFARS 252.204-7012)
• Restricted: Data is classified as Restricted when the unauthorized disclosure,
alteration or destruction of that data could cause a significant level of risk to the
university or its affiliates. Users of Restricted data must follow all safeguards for
Controlled data plus additional safeguards identified for Restricted data. High
levels of security safeguards must be applied to Restricted data.
• Controlled: Data is classified as Controlled when the unauthorized disclosure,
alteration or destruction of that data could result in a moderate level of risk to the
university or its affiliates. By default, all institutional data that is not explicitly
classified as CUI, Restricted or Public data must be treated as Controlled data. A
reasonable level of security safeguards must be applied to controlled data.
• Public: Data that is readily available to the public. This data requires no
confidentiality or integrity protection. Public data needs no additional protection.
Minimum Safeguards
The responsibility of protecting university data is shared by everyone that uses,
accesses or stores such data. Required safeguards depend on the data classification.
See Minimum Safeguards for more information.
Roles and Responsibilities
There are four data user roles with differing levels of responsibilities. See Roles and
Responsibilities for more information.
• Trustees: Senior university officials or their designees who have planning and
policy level responsibility for data within their functional areas and management
responsibility for defined segments of institutional data.
• Stewards: University officials having direct operational-level responsibility for the
management of one or more types of institutional data. Data Stewards in
coordination with Data Custodians must implement and apply safeguards that
meet or exceed the Minimum Safeguards of each data classification.