Data Classification Matrix

Data is a critical asset of the university. It is the policy of the University of Central Florida to classify types of data in use at the university and to provide the appropriate levels of information security and protection.

University Data falls into three classifications: Highly Restricted Data, Restricted Data, and Unrestricted Data. UCF Policy 4-008 further details the classifications and the procedures for how to properly store, handle, and protect University Data. Below is a Data Classification Matrix, that illustrates where it is appropriate to store UCF Data electronically.

Please refer to UCF Policy 4-008 for full details and contact UCF InfoSec if you have any questions or concerns about how to protect University Data.

QUICK links

Policies Consulting FERPA DATA INFO

Data Classification	Examples	Approved Storage	Additional Requirements
Highly Restricted	Government Identification Numbers Financial Account Numbers Credentials Usernames & Passwords Health Information HIPAA Payment Card Industry (PCI) Data Federally Protected Data Controlled Unclassified Information (CUI) Protected University Employee Data Refer to F.S. 119.071 GLBA "Nonpublic Personal Information"	UCF sanctioned internet cloud data storage systems OneDrive for Business Microsoft Teams DropBox Advanced	Must not be stored in personally-owned data storage accounts. Access controls must be in place. CUI data must be encrypted following DFARS standards. File-level encryption recommended. Protect with Multi-Factor Authentication.
		University-provided email system Must be encrypted before sending via email. It is recommended that passwords are sent through alternate lines of communication. Though acceptable, this method is not preferred over the other methods listed here.
		Secure UCF Server Server must be intended for highly restricted data, and at a minimum meet relevant University Security Standards. Employ full-disk encryption. File-level encryption is required anytime data is exported, saved, or downloaded or copied from these systems.
		UCF-Owned End User Devices Laptops* and Desktops Mobile Devices* *When stored on these devices, the data must have file-level encryption with access protected by a strong password (in addition to the full disk encryption.)	Legitimate business reason required. Must be a university-owned and managed device. Full-Disk encryption required. Access controls must be in place.
Restricted	Business Sensitive Data Proprietary Intellectual Property FERPA: Personally Identifiable Information (PII) FERPA: Academic Records FERPA: Other Student Email Address Student ID Photos Network and Systems Data UCF NID IP Addresses and other system information Other Data Protected by Law or Regulation	Any approved storage for Highly Restricted or Restricted Data
		UCF-owned workstations or mobile devices	Must be protected by a strong password and use full disk encryption. File level encryption is recommended.
		University-provided email system	May be sent to users who are within a university-provided email system (e.g., UCF Exchange, Knights email, Webcourses@UCF). May be sent to authorized recipients who use external email systems if encrypted using Office 365 Email Encryption.
Unrestricted	Employee Data Employee Names Date of Hire Rate of Pay Title Office Address Phone Number UCFID FERPA: Directory Information Note: Directory information can be released without consent, unless the student has opted to withold the release of their data.	Any storage approved for Restricted or Highly Restricted Data
Unrestricted		Can be posted on any public website, blog, or other publicly-accessible Internet site.

Note: This matrix is meant only as a reference and not a comprehensive replacement for UCF policy 4-008. Please read and review UCF policy 4-008 for full details.