Data Management Categorization
Procedures
The System Owner must assign a “System Criticality Categorization” to an Information System to indicate the type of criticality that exists should the Information System experience unexpected downtime. This categorization helps inform necessary Information System protection controls and prioritize Information System incidents. The following categorizations are available:
| Mission-Critical | The Information System is a key primary source for Organizational Data where unexpected downtime could have a severe or catastrophic adverse effect on Georgia Tech as a whole, presenting a high risk to Georgia Tech. This categorization is assigned by the Data Governance Committee. |
|---|---|
| Moderate Criticality | Unexpected downtime of the Information System could have a serious adverse effect on a large number of users or multiple business units, presenting a moderate risk to Georgia Tech. |
| Low Criticality | Unexpected downtime of the Information System could have a limited adverse effect on Georgia Tech as a whole, presenting a low risk to Georgia Tech. |
- A System Owner must submit a request for the “Mission-Critical” categorization to the Data Governance Committee. The request must include:
- Information System name and purpose/function
- Current “System Criticality Categorization” assigned to the Information System
- Reason the “Mission-Critical” categorization is requested
- A list of Data Trustees and Data Stewards who are responsible for the Data Domains of Organizational Data within the Information System including their written acknowledgement of the additional requirements this categorization brings.
- The Data Governance Committee will review the request and determine if further discussion is required with the System Owner or others involved with the request.
- If approved, the Data Governance Committee will notify the System Owner and publish the change to the official list of approved Mission-Critical Systems on the website. The System Owner will communicate this approval to impacted Data Trustees and Data Stewards, and collectively will work towards additional requirements this categorization brings.
- If not approved, the Data Governance Committee will articulate the rejection and send it back to the System Owner.
- An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
- Name of the categorization (proposed name if new or changing)
- Definition of the categorization (proposed definition if new or changing)
- Reason the modification is requested
- The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
- If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Data Impact Categorization” choices on the website. Inventories that rely upon “Data Impact Categorization” (e.g., Data Element Dictionary) will be updated.
- If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
- A Data Steward must assign “Other Data Categorizations” to a Data Element.
- A Data Steward must assign “Other Data Categorizations” to a Data Sub-Domain, which may be derived from Data Elements within the Data Sub-Domain.
- An Associate Data Trustee must assign “Other Data Categorizations” to a Data Domain, which may be derived from its Data Sub-Domains.
- A System Owner must assign a “Other Data Categorizations” to an Information System, which may be derived from the Organizational Data within the Information System.
- A report or a data set that contains Organizational Data may indicate “Other Data Categorizations” in order to communicate to its intended audience the type of data attributes the report or data set contains.
The “Other Data Categorizations” indicate additional data attributes of Organizational Data (either by Data Element, Data Sub-Domain, or Data Domain). This categorization helps inform necessary protection controls and prioritize incidents for both Information Systems and Organizational Data.
| Other Data Categorizations | Categorization Question | Categorization Choices |
|---|---|---|
| Personally Identifiable Information (PII) | Does the Information System or Organizational Data contain any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the institution? | Yes or No |
| PII – Sensitive | Does the Information System or Organizational Data contain personally identifiable information that if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, such as a Social Security number or alien number (A-number)? Sensitive PII requires stricter handling guidelines because of the increased risk to an individual if compromised. | Yes or No |
| Protected Health Information | Does the Information System or Organizational Data contain individually identifiable information created, received, or maintained by such organizations as health care payers, health care providers, health plans, and contractors to these entities, in electronic or physical form? Laws require special precautions to protect from unauthorized use, access, or disclosure. | Yes or No |
| FERPA Directory Information | Does the Information System or Organizational Data contain Data Elements found in Georgia Tech’s published list of FERPA Directory Information? More Information | Yes or No |
| GDPR Special Categories of Sensitive Personal Data | Does the Information System or Organizational Data contain Data Elements found in Georgia Tech’s published list of EU General Data Protection Regulation (GDPR) Special Categories of Sensitive Personal Data? More Information | Yes or No |
- 1. An individual must submit a request to add a new categorization, change the name and/or question and/or choices of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
- Name of the categorization (proposed name if new or changing)
- Question of the categorization (proposed definition if new or changing)
- Choices of the categorization (proposed choices if new or changing)
- Reason the modification is requested
- The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
- If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Other Data Categorizations” on the website. Inventories that rely upon “Other Data Categorizations” (e.g., Data Element Dictionary) will be updated.
- If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
Resources
|
Banner Student Information System |
|
PeopleSoft Human Capital Management System (via OneUSG Connect) |
|
Workday Financial System |
|
Deltek Costpoint Research Financial System |
|
Office of Sponsored Programs Contract Information System |
| Revision Date | Author | Description |
|---|---|---|
| 2021-07-27 | Zachary Hayes, Data Governance | New |