====== Designating Sensitive Information ======

==== University of Colorado IT Security Program Policy ====

All data and information resources of the SEHD are subject to University of Colorado's IT Security Program policy, [[https://www.cu.edu/ope/aps/6005|APS-6005]]. Within the [[https://www.cu.edu/sites/default/files/APS6005SecI_Terms.pdf|definitions of the policy]] it defines three classification for information.

> __Highly Confidential information__: This category includes data elements that require protection under laws, regulations, contracts, relevant legal agreements and/or require the institution to provide notification of unauthorized disclosure/security incidents to affected individuals, government agencies or media. This type of University Information includes personally identifiable information (a category of personal information regulated by federal law), as well as other non-public personal information that would adversely impact an individual if inappropriately used or disclosed. Examples include Social Security numbers, credit card numbers and medical records.

> __Confidential information:__ This category includes data elements not usually disclosed to the public but are less sensitive than Highly Confidential data. If a legally required and applicable, Colorado Open Records Act (CORA) request is submitted, these records may be released. Examples include Personnel information, Non-public policies.

> __Public information: __

   * Any information on University websites to which the data owner allows access without authentication
  * Information made freely available through the institution print material
  * Directory information

Please see the University Data Classifications and Impact website for more detailed information[[https://www.cu.edu/ois/data-classifications-impact|https://www.cu.edu/ois/data-classifications-impact]]