Protection Levels

UC Institutional Information and IT Resources are classified into one of four Protection Levels based on the level of concern related to confidentiality and integrity. P4 requires the most security controls and P1 requires a minimal set of controls.

Information and IT Resources must be properly protected based on the value of the Institutional Information and IT Resource and the likelihood that the information or resource may be targeted for theft. It is important to classify assets accurately as over-classification may result in additional complexity, cost and compliance requirements. Under-classification may result in inadequate protections that could lead to data or resource compromise.

More information on the new UC Classification Standard can be found at: https://security.ucop.edu/files/documents/policies/institutional-information-and-it-resource-classification-standard.pdf

Protection Level 1 (P1)


Institutional Information and IT Resources intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient.

Examples:

  • Public-facing websites
  • Course catalogs
  • Published research
  • Press releases
  • Parking information

Protection Level 2 (P2)


Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group.

Examples:

  • Routine business records
  • Building plans
  • Draft research papers
  • Unpublished research
  • De-identified research data
  • UCI directory information (faculty, staff and students who have not requested a FERPA block).

Protection Level 3 (P3)


Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk.

Examples:

  • Student records
  • UC Personnel records
  • IT security information
  • Security camera recordings
  • Export-controlled research

Protection Level 4 (P4)


Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, or the overall operation of the Location or essential services. This classification level also includes lower risk items that, when combined, represent increased risk.

Examples:

  • Credit card information
  • Payroll information
  • Financial aid information
  • Protected health information (PHI)
  • Social security numbers
  • Sensitive identifiable human subject research data
  • Passwords, PINs, passphrases, or other authentication secrets.
  • Protected Personally Identifiable Information (PII) in large data sets

Protected Personal Identity Information (PII)


Electronic information that includes:

1) An individual's first name or initial, and last name, in combination with any one or more of the following:

  • Social Security number (SSN)
  • Drivers license number or State-issued Identification Card number (including Passport)
  • Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
  • Personal medical information **
  • Health insurance information
  • Information or data collected through the use/operation of an automated license plate recognition system

or 2) User name or email address with password or security question and answer that would permit access to an online account

* Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard.

** Personal medical information is also regulated by HIPAA

Critical Infrastructure


IT Resources that manage unrelated sets of Institutional Information or sets of large or particularly sensitive Institutional Information.

Or:

IT Resources that meet two conditions: a) Several information systems rely on the resource such that a security issue with the resource would affect multiple systems. b) The default or standard method for securing the system is inappropriate due to an elevated level of risk, complexity, or the specialized nature of the IT Resource.

Examples:

  • Active Directory
  • Single departmental server performing many critical functions.
  • Encryption key management system protecting keys for many systems.
  • Domain Name System (DNS)
  • Wired and wireless networking equipment that provides access to Institutional Information and IT Resources.
  • Authentication or authorization services