Type
Information Technology Policies
Category
Information Security Policies


Requirements

The following are the minimum security requirements that must be followed for each DCL.

Data Classification Level (DCL)Minimum Security Requirements
Level 1: Public Data
  • Device must be physically secured at all times.
  • Report lost or stolen devices that are used for work purposes, regardless of ownership, to the appropriate ISO per the Mandatory Reporting Requirement.
Level 2: Sensitive Data
  • Must comply with DCL1 requirements.
  • Device encryption or password protection for files stored on the storage device is recommended.
Level 3: Restricted Data
  • Must comply with DCL1 and DCL2 requirements.
Level 4: Highly Restricted Data
  • Must comply with DCL1, DCL2 and DCL3 requirements.
  • Device encryption required.

Data Disposal

Levels 1-4: All portable storage devices that are surplussed or otherwise disposed of must follow University surplus property and data disposal policies.

Personally-Owned Devices

Levels 1-4: Personally-owned portable storage devices used for University business must be managed according to the same standards as University-issued devices.

Travel

Levels 1-4: Review and follow the Information Security Travel Standard when traveling with a portable storage device.