Classifying Institutional Information and IT Resources

At UC, protecting our Institutional Information and IT Resources is critical to our mission of teaching, research, and public service.

UC’s Electronic Information Security Policy (IS-3) defines requirements for the appropriate classification of Institutional Information and IT Resources to ensure their confidentiality, integrity and availability.

The policy uses a risk-based approach to identify effective controls based on the need to achieve a specific Protection Level or Availability Level. UC’s investment in security controls is commensurate with the level of need for protection or availability of the Institutional Information.

Protection Levels

All information has some level of risk and a minimum level of protection requirements. There are categories of information which have higher levels of risk either because of the sensitive nature of the information (e.g. medical treatment information) or because of the value of the information (e.g. a name and social security number).

Availability Levels

Institutional Information and IT Resources must be assigned one of four Availability Levels based on the level of business impact that their loss of availability or service would have on UC


Availability Level Description
A1 - Minimal

Loss of availability poses minimal impact or financial losses.

A2 - Low

Loss of availability may cause minor losses or inefficiencies.

A3 - Moderate

Loss of availability would result in moderate financial losses and/or reduced customer service

A4 - High

Loss of availability would result in major impairment to the overall operation of the Location and/or essential services, and/or cause significant financial losses. IT Resources that are required by statutory, regulatory and legal obligations are major drivers for this risk level.

Protection Level Description
P1 - Public Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient.
P2 - Internal Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group.
P3 - Proprietary Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk.
P4 - Statutory Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location or essential services.