Content Comparison

...

The WVU Data Classification Policy establishes the rules that govern the classification of information generated through the academic, administrative, research, and outreach activities conducted at WVU into four categories: Sensitive, Confidential, Internal, and Public. The WVU Information Security Policy identifies the criticality of information systems into four categories: mission critical, core, business critical, and operational.

The following table provides a examples that can be used to assist in selecting a security category for an information system. For assistance classifying the information system you manage, review the information provided in the Security Objectives section or contact Information Security Services at infosec@mail.wvu.edu.

Security Objectives

The Security Category = [Confidentiality impact + Integrity impact + Availability impact]

Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.

Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.

Availability mean ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

Minimum Security Requirements

The table below identifies the minimum security requirements for a WVU system or application based on the classification of the data stored within the system and/or the system’s criticality. Security requirements are based on implemented technology governance and are organized below based on the NIST Cybersecurity Framework

...