What are the Level 1, 2, and 3 data definitions?

CSU Data Classification Levels (Asset Management ISO Domain 8 Standard) explains the difference between Level 1, 2, and 3 Data.

Level 1 examples – Confidential information include but are not limited to:

  • Passwords or credentials that grant access to level 1 and level 2 data
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national/ international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information

Level 2 examples – Internal Use information include but are not limited to:

  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Photo (taken for identification purposes)
  • Student Information-Educational Records not defined as “directory” information, typically:
    • Grades
    • Courses taken
    • Schedule
    • Test Scores
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Student photo
  • Library circulation information

Level 3 - Information which may be designated by your campus as publically available and/or intended to be provided to the public:

  • Information at this level requires no specific protective measures but may be subject to appropriate review or disclosure procedures at the discretion of the campus in order to mitigate potential risks
  • Disclosure of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets

Sections 4 and 5 of the CSU ISO Domain 8: Asset Management Standard explain the requirements for storing and handling Level 1 Data and Level 2 Data.