Data Management Categorization

DG Data Management Categorization

Purpose

Data Management Categorizations provide additional information about Georgia Tech’s Information Systems, Data Domains, and Data Elements. This additional information will provide a high-level overview of the criticality of an Information System should it become unavailable, the risk of Organizational Data should it become inadvertently disclosed, and other indicators used to protect Georgia Tech’s data assets.

 

Go to Procedures
Go to Resources

 

Related Policies

Data Governance and Management Policy

Related Guidelines, Procedures, and Resources

Definitions

Loss of Confidentiality The unauthorized disclosure of information.
Loss of Integrity The unauthorized modification or destruction of information.

Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy

Audience

Responsible Associate Data Trustee
Data Steward
System Owner
Accountable Data Governance Committee
Support Associate Data Steward
Technical Manager
Consulted Data Governance team
Informed Data Domain & Technology Sub-Committees
Data Administrator
Data User

Procedures

Assigning a “System Criticality Categorization”

The System Owner must assign a “System Criticality Categorization” to an Information System to indicate the type of criticality that exists should the Information System experience unexpected downtime. This categorization helps inform necessary Information System protection controls and prioritize Information System incidents. The following categorizations are available:

Mission-Critical The Information System is a key primary source for Organizational Data where unexpected downtime could have a severe or catastrophic adverse effect on Georgia Tech as a whole, presenting a high risk to Georgia Tech.

This categorization is assigned by the Data Governance Committee.
Moderate Criticality Unexpected downtime of the Information System could have a serious adverse effect on a large number of users or multiple business units, presenting a moderate risk to Georgia Tech.
Low Criticality Unexpected downtime of the Information System could have a limited adverse effect on Georgia Tech as a whole, presenting a low risk to Georgia Tech.
Request a “System Criticality Categorization” of “Mission-Critical”
  1. A System Owner must submit a request for the “Mission-Critical” categorization to the Data Governance Committee. The request must include:
    1. Information System name and purpose/function
    2. Current “System Criticality Categorization” assigned to the Information System
    3. Reason the “Mission-Critical” categorization is requested
    4. A list of Data Trustees and Data Stewards who are responsible for the Data Domains of Organizational Data within the Information System including their written acknowledgement of the additional requirements this categorization brings.
  2. The Data Governance Committee will review the request and determine if further discussion is required with the System Owner or others involved with the request.
  3. If approved, the Data Governance Committee will notify the System Owner and publish the change to the official list of approved Mission-Critical Systems on the website. The System Owner will communicate this approval to impacted Data Trustees and Data Stewards, and collectively will work towards additional requirements this categorization brings.
  4. If not approved, the Data Governance Committee will articulate the rejection and send it back to the System Owner.
Modifications to the approved “System Criticality Categorization” choices
  1. An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
    1. Name of the categorization (proposed name if new or changing)
    2. Definition of the categorization (proposed definition if new or changing)
    3. Reason the modification is requested
  2. The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
  3. If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “System Criticality Categorization” choices on the website. Inventories that rely upon “System Criticality Categorization” (e.g., Systems Inventory) will be updated.
  4. If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
Assigning a “Data Impact Categorization”
  • A Data Steward must assign a “Data Impact Categorization” to a Data Element.
  • A Data Steward must assign a “Data Impact Categorization” to a Data Sub-Domain, which may be derived by choosing the highest impact categorization from Data Elements within the Data Sub-Domain.
  • An Associate Data Trustee must assign a “Data Impact Categorization” to a Data Domain, which may be derived by choosing the highest impact categorization from its Data Sub-Domains.
  • A System Owner must assign a “Data Impact Categorization” to an Information System, which may be derived by choosing the highest impact categorization from the Organizational Data within the Information System.
  • A report or a data set that contains Organizational Data may indicate the “Data Impact Categorization” in order to communicate to its intended audience the type of impact the report or data set contains.

The “Data Impact Categorization” indicates the type of impacts that exists should the Organizational Data (either by Data Element, Data Sub-Domain, or Data Domain) experience Loss of Confidentiality or Loss of Integrity. When Organizational Data may fall into more than one categorization, it should be categorized in the highest applicable impact categorization. This categorization helps inform necessary protection controls and prioritize incidents for both Information Systems and Organizational Data. The following categorizations are available:

High Impact The Loss of Confidentiality or the Loss of Integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Moderate Impact The Loss of Confidentiality or the Loss of Integrity could be expected to have serious adverse effect on organizational operations, organizational assets, or individuals.
Low Impact The Loss of Confidentiality or the Loss of Integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
Modifications to the approved “Data Impact Categorization” choices
  1. An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
    1. Name of the categorization (proposed name if new or changing)
    2. Definition of the categorization (proposed definition if new or changing)
    3. Reason the modification is requested
  2. The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
  3. If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Data Impact Categorization” choices on the website. Inventories that rely upon “Data Impact Categorization” (e.g., Data Element Dictionary) will be updated.
  4. If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
Assigning “Other Data Categorizations”
  • A Data Steward must assign “Other Data Categorizations” to a Data Element.
  • A Data Steward must assign “Other Data Categorizations” to a Data Sub-Domain, which may be derived from Data Elements within the Data Sub-Domain.
  • An Associate Data Trustee must assign “Other Data Categorizations” to a Data Domain, which may be derived from its Data Sub-Domains.
  • A System Owner must assign a “Other Data Categorizations” to an Information System, which may be derived from the Organizational Data within the Information System.
  • A report or a data set that contains Organizational Data may indicate “Other Data Categorizations” in order to communicate to its intended audience the type of data attributes the report or data set contains.

The “Other Data Categorizations” indicate additional data attributes of Organizational Data (either by Data Element, Data Sub-Domain, or Data Domain). This categorization helps inform necessary protection controls and prioritize incidents for both Information Systems and Organizational Data.

Other Data Categorizations Categorization Question Categorization Choices
Personally Identifiable Information (PII) Does the Information System or Organizational Data contain any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the institution? Yes or No
PII – Sensitive Does the Information System or Organizational Data contain personally identifiable information that if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, such as a Social Security number or alien number (A-number)? Sensitive PII requires stricter handling guidelines because of the increased risk to an individual if compromised. Yes or No
Protected Health Information Does the Information System or Organizational Data contain individually identifiable information created, received, or maintained by such organizations as health care payers, health care providers, health plans, and contractors to these entities, in electronic or physical form? Laws require special precautions to protect from unauthorized use, access, or disclosure. Yes or No
FERPA Directory Information Does the Information System or Organizational Data contain Data Elements found in Georgia Tech’s published list of FERPA Directory Information? More Information Yes or No
GDPR Special Categories of Sensitive Personal Data Does the Information System or Organizational Data contain Data Elements found in Georgia Tech’s published list of EU General Data Protection Regulation (GDPR) Special Categories of Sensitive Personal Data? More Information Yes or No
Modifications to the approved “Other Data Categorizations” questions and choices
  1. 1. An individual must submit a request to add a new categorization, change the name and/or question and/or choices of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
    1. Name of the categorization (proposed name if new or changing)
    2. Question of the categorization (proposed definition if new or changing)
    3. Choices of the categorization (proposed choices if new or changing)
    4. Reason the modification is requested
  2. The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
  3. If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Other Data Categorizations” on the website. Inventories that rely upon “Other Data Categorizations” (e.g., Data Element Dictionary) will be updated.
  4. If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.

 

Resources

Approved Mission-Critical Systems

Banner Student Information System

PeopleSoft Human Capital Management System (via OneUSG Connect)

Workday Financial System

Deltek Costpoint Research Financial System

Office of Sponsored Programs Contract Information System

 

Revision Date Author Description
2021-07-27 Zachary Hayes, Data Governance New