Work With & Handle P3/P4 Data

The proper classification and protection of high risk data and assets is required by policy and very important to managing the information security risk at the University.

Depending on your role at UCI, you may be required to work with protected data. It is important that you understand the required security controls needed to handle, store, and share P3/P4 Institutional Information and IT Resources.

Handling of P3/P4 Data

When handling P3/P4 data, it is required that you:

• • • Avoid the use of P3/P4 data to the extent possible. If it is not needed do not use it.
    • Ensure the device you are using to access P3/P4 data meets all Minimum Security Standards.
    • Ensure your work environment meets all requirements when working remote.
    • NEVER copy P3/P4 data onto a personal device.
    • Always check with your Unit for any additional or special security requirements.
    • Immediately report any possible breach of data to OIT Security

Storage of P3/P4 Data

When storing P3/P4 data, it is required that you:

• • • Do not make unnecessary copies of P3/P4 data​.
    • Ensure the system storing P3/P4 data has intrusion detection monitoring and alerting enabled​.
    • Ensure P3/P4 data is stored encrypted and disposed of securely when no longer needed​.
    • Ensure system and file permissions only permit authorized user access.
    • Choose the appropriate cloud service or research environment based on data classification.

Sharing of P3/P4 Data

When sharing P3/P4 data, it is required that you:

• • • Only share data with authorized individuals who have an institutional need to access the data.
    • Use a UCI approved solution to share P3/P4 data. UCI’s recommended solution is the UCI managed OneDrive (with step-by-step instructions).
    • Ensure all links or access to shared data require authentication and specific authorized users​.
    • Ensure when access to data is no longer needed disable and remove access rights.
    • Ensure all transfers of data over the network are over encrypted connections.

Managing P3/P4 Assets

Proprietors and IT Owners of systems containing P3/P4 data must do all the minimum requirements above in addition to:

• • • Work with your UISL to record the asset in the Protected Data and Systems Inventory (PDSI) system.
    • Implement all the requirements in the UCI Information Security Standard.
    • Document a Risk Assessment for the system​.

For any questions regarding the UCI classification requirements please email Security Risk and Compliance at securityrisk@uci.edu