User login


Data Classification Policy

Published: October 2013

Revised: November 2014, April 2016, October 2017



I. Introduction


As indicated in the Columbia University Information Security Charter (the “Charter”), any person who uses, stores or transmits Data (as defined in the Charter) has a responsibility to maintain and safeguard such Data.


The first step in establishing the safeguards that are required for a particular type of Data is to determine the level of sensitivity applicable to such Data.  Data classification is a method of assigning such levels and thereby determining the extent to which the Data need to be controlled and secured.


Capitalized terms used in this Policy without definition are defined in the Charter.


II. Policy History

The effective date of this Policy is November 1, 2013.  This Policy replaces the University’s Data Classification Policy, dated December 2007, as amended in February 2013.


III. Policy Text

Data security measures must be implemented commensurate with the sensitivity of the Data and the risk to the University if Data is compromised.  It is the responsibility of the applicable Data Owner to evaluate and classify Data for which he/she is responsible according to the classification system adopted by the University and described below.  If Data of more than one level of sensitivity exists in the same System or Endpoint, such Data shall be classified at the highest level of sensitivity.



To see the full text of this policy, please use the link on the right.