UCI   Office of Information Technology

UCI Information Security
  1. Home
    2.  » 
  2. UCI Information Security Management Program
    3.  » 
  3. Information Asset Classification
    4.  » Decision Tree

Decision Tree

The Classification Decision Tree is a guide to help individuals understand what classification level their Institutional Information or IT Resource fits into. This decision tree should be treated as a guide to help individuals and not the ultimate decision maker for classifying assets. When a classification level is suggested it is strongly recommended to review the controls associated with that classification level to make sure the controls best meet the need to properly protect the Institutional Information and/or IT Resource. You can always reach out to securityrisk@uci.edu for questions and additional guidance.

 

Classification Decision Tree Instructions

Step 1: Understand what type of Institutional Information and IT Resources you have.

Know what type of Institutional Information you have:

    • Identify who is the Institutional Information Proprietor  and ask about the classification level for the Institutional Information. The Proprietor is the data owner and has the final decision on the data’s classification level.
    • Ask the Proprietor about any special data handling requirements (e.g., compliance and protection requirements, etc.).
    • Investigate and understand what harmful things someone can do with the Institutional Information. Understand what the data elements of the Institutional Information can be used for.
    • Know if this Institutional Information is the master source of record.

 

Know what type of IT Resource you have:

    • Explore what type of Institutional Information the IT Resource processes, transmits, and stores.
    • Investigate and identify what other assets this IT Resource communicates with.
    • Identify the level of impact or harm if the IT Resource was ever falsely modified or if someone gained unauthorized accessed.
    • Understand what IT Resources are considered Critical IT Infrastructure
    • Identify the IT Resource owner and ask about any special security control requirements.

 

Step 2: Walk through the Classification Decision Tree

     

    Step 3: Review the protection level the Classification Decision Tree suggests.

    Review the Protection Level description and the required controls for the suggested protection level. Make sure the controls associated with the protection level best meets the need to properly protect the Institutional Information and/or IT Resources.

    Additional Details and Examples

    Impact to Privacy

    It is important for Units to understand what Institutional Information they have and how the unauthorized disclosure of that information could impact an individual’s privacy. Privacy at UCI consists of: (1) the individual’s ability to conduct activities without concern of or actual observation and (2) the appropriate protection, use, and release of information about individuals.

    Some things to think about include:

      • Can the elements of the information collected be used for:
        • Discrimination
        • Surveillance
        • Blackmail or humiliation
        • To hurt an individual or put them in severe harm or danger
      • Authorized use and access of data
        • What did individuals expect the Campus to do with the information (authorized uses)?
        • Who is allowed to receive this information (authorized disclosures)?
        • Did we tell individuals how we would use, store, share, and delete the information? (notice of privacy practices)
        • How do we safeguard the data to prevent unauthorized access, use, or disclosure?

     

    Please visit the UCI Privacy Webpage for more details.

     

    Large Data Set Amount

    The Unit best understands their Institutional Information and the risk associated with it. The definition of “large” could be different for every Unit. It’s important to think about if this information was ever compromised how much of an impact would it have to the Campus. The definition of “Large” should be based on the risk associated with the type of data involved. Below are some general guidance examples of “large” vs “small” data sets:

      • Large Data Sets
        • Extract of employee data of all UCI employees, or of large units or large workgroups.
        • Extract of student data of all UCI students, or of large schools or large academic programs.
      • Small Data Set
        • Extract of employee data in an individual unit.
        • Extract of student information of students enrolled in a school or small academic program.

     

    An example of a measurement that can be used to determine volume is the number of records outlined within the UC Terms and Conditions of Purchase document:

      • Less than 70,000 records = Small
      • 70,000 or more records = Large

     

    Within the UC Terms and Conditions of Purchase document, above and below 70,000 records determines the amount of insurance coverage required. This can be used as a starting point to determine what is considered a large data set versus a small data set.

     

    Context and Comprehensive

    It is important for Units to understand what Institutional Information and IT Resources they have and the context on how it is being used or how it can be used. Think about if anyone can misuse or abuse the information in a malicious way. Below are some general guidance examples of what someone can use the data elements to do:

      • Steal an individual’s identity or impersonate someone
      • Reset an individual’s login credentials
      • Change someone’s account information or status

     

    Special Security Requirements

    Special security requirements can be special controls required from an external party. These requirements can be tied to federal grants, research funding, insurance agreements, and other contract or obligations. The requirements of the controls will help determine the appropriate protection level.