{"id":68273,"date":"2025-10-29T10:31:27","date_gmt":"2025-10-29T17:31:27","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=68273"},"modified":"2026-02-20T16:25:20","modified_gmt":"2026-02-21T00:25:20","slug":"bppm-87-53","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/","title":{"rendered":"87.53 Data Protection and Classification"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Data Protection and Classification<\/h2>\n\n\n<p><strong>UPPM 87.53<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 General Requirements <\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Moderate- and High-Impact System Requirements<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0\u00a0\u00a0\u00a0\u00a0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1\u00a0\u00a0\u00a0\u00a0\u00a0 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2\u00a0\u00a0\u00a0\u00a0\u00a0 Specific Policy Overview and Purpose<\/h4>\n<p>Institutional Information (as defined in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a>) is a valuable WSU asset that must be categorized and safeguarded based on sensitivity and risk. By establishing clear requirements for all classifications of data, this policy ensures that Institutional Information is carefully managed, maintained, protected, and used appropriately throughout its lifecycle, as well as protected from unauthorized access or disclosure.<\/p>\n<p>This policy and UPPM Chapter 87 use the terms \u201cinformation\u201d and \u201cdata\u201d interchangeably.<\/p>\n<h3 id=\"Two_0\">2.0\u00a0\u00a0\u00a0 Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0\u00a0\u00a0\u00a0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1\u00a0\u00a0\u00a0\u00a0\u00a0 Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2\u00a0\u00a0\u00a0\u00a0 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.\u00a0<\/p>\n<h4>3.3\u00a0 \u00a0 \u00a0Office of Information Security and Assurances (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/data-protection-and-classification-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/data-protection-and-classification-procedure.pdf\/\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0 Requirements<\/h3>\n<h4 id=\"Four_1\">4.1\u00a0\u00a0\u00a0\u00a0 General Requirements<\/h4>\n<p>Information Owners, or their delegates, must classify WSU Institutional Information for which they are responsible for according to following classifications (see also <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a>):\u00a0<\/p>\n<ul>\n<li>Public: Information in this classification does not need protection from unauthorized access or disclosure; however, there may be requirements to protect the integrity and availability of data in this classification. The appropriate Information Owner or the appropriate WSU administrator must approve the release of Public Information.<\/li>\n<li>Internal: Information in this classification may be made available to authorized personnel in support of the performance of their assigned roles\/duties. WSU Internal Information is generally not released to the public unless specifically requested and must be approved for release by the appropriate Information Owner, by the appropriate WSU administrator, or as required by law. Unauthorized access, disclosure, or loss of integrity or availability of this classification of information could result in some harm to WSU and to individuals.<\/li>\n<li>Confidential: Access may be granted to this classification of information by the appropriate Information Owner to only authorized personnel with a strict need-to-know. Confidential Information may be released to authorized affiliates or third parties only with explicit approval from the appropriate Information Owner, the appropriate WSU administrator, or as required by contract or law. Unauthorized access, disclosure, or loss of integrity or availability of this information could cause significant harm to WSU and its operations, assets, or to individuals, and may include significant reputational, legal, and financial consequences.<\/li>\n<li>Regulated: Access may be granted to this classification of information by the appropriate Information Owner to only authorized personnel with strict need-to-know. Regulated information may be released to authorized affiliates or third parties only with explicit approval from the appropriate Information Owner or the appropriate WSU administrator, and in accordance with applicable statutes, regulations, and agreements. Unauthorized access, disclosure, or loss of integrity or availability of this information could cause serious harm to WSU and its operations, assets, or to individuals, and may include serious reputational, legal, financial, and health and safety consequences, including civil and criminal penalties.<\/li>\n<\/ul>\n<p>WSU Institutional Information must be properly administered, managed, and maintained throughout its entire life cycle. WSU Information Owners, or their delegates, are accountable for the security and privacy of WSU Institutional Information under their care.<\/p>\n<p>Information Systems that store or process Confidential and\/or Regulated Data must geographically reside in the United States.\u00a0<\/p>\n<p>WSU Institutional Information must be protected via appropriate encryption mechanisms in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a>.\u00a0<\/p>\n<p>Information System Owners, or their delegates, must identify the digital and\/or non-digital media with access restrictions for specific personnel or roles.\u00a0<\/p>\n<p>Information System Owners, or their delegates, must restrict the use of certain types of media on defined organizational systems or system components.\u00a0<\/p>\n<p>Access to WSU Institutional Information is to be provided in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">UPPM 87.05<\/a>.\u00a0<\/p>\n<p>System media is to be sanitized in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a><\/p>\n<p>The use of portable storage devices is to be prohibited when the system or system component has no identifiable owner.\u00a0<\/p>\n<h4 id=\"Four_2\">4.2\u00a0\u00a0\u00a0\u00a0 Moderate- and High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to all moderate and high-impact systems.<\/p>\n<p>Information Owners, or their delegates, of moderate- and high-impact systems must maintain an up-to-date inventory of WSU Institutional Information within their area of responsibility.<\/p>\n<p>Information System Owners, or their delegates, are responsible for maintaining a record of users who have access to the system components where those types of information are processed and stored.\u00a0\u00a0<\/p>\n<p>Moderate- and high-impact systems must use automated tools to identify information by information type on system components to ensure controls are in place.<\/p>\n<p>Moderate- and high-impact system media must be marked with the distribution limitations, handling caveats, and applicable security markings. Information Owners, or their delegates, can exempt defined types of system media from marking within defined controlled areas.\u00a0<\/p>\n<p>Information System Owners, or their delegates, must define the moderate- and high-impact system media that needs to be physically controlled and securely stored within defined areas. The defined system media must be protected and destroyed in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.<\/p>\n<p>Information System Owners, or their delegates, must define the moderate- and high-impact system media that needs protection during transport outside of controlled areas and must maintain accountability, document transport activities, and restrict access outside controlled areas to authorized personnel.\u00a0\u00a0<\/p>\n<h3 id=\"Five_0\">5.0\u00a0\u00a0\u00a0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<hr \/>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong>\u00a0 Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a>); Mar. 2022 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/revisions\/epm-revisions\/epm-revision-102\/\">102<\/a>); June 2020 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/revisions\/epm-revisions\/epm-revision-91\/\">91<\/a>); May 2018 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/revisions\/epm-revisions\/epm-revision-79\/\">79<\/a>); Feb. 2015 (Rev. 59); Dec. 2007 (Rev. 29); Apr. 2006 (Rev. 22); Nov. 2001 &#8211; new policy (Rev. 3)<\/p>\n<p><!-- \/wp:freeform --><br \/><!-- \/wp:wsuwp\/column --><br \/><!-- \/wp:wsuwp\/row --><\/p>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Data Protection and Classification UPPM 87.53 For more information contact:\u00a0 \u00a0Information Technology Services Contents 1.0 \u00a0\u00a0 Overview and Purpose 1.1 [&hellip;]<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/68273"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=68273"}],"version-history":[{"count":7,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/68273\/revisions"}],"predecessor-version":[{"id":69993,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/68273\/revisions\/69993"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=68273"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=68273"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=68273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}