UIS.401.1 Data Classification Guidelines

In support of UIS 401 Data Protection and Security Policy

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All University data are classified into one of three sensitivity levels, or classifications:

Low Risk Data

Data is classified as low risk when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.

While little or no controls are required to protect the confidentiality of low risk data, some level of control is required to prevent unauthorized modification or destruction of public data.

Medium Risk Data

Data is classified as medium risk when the unauthorized disclosure, alteration or destruction of that data could result in a moderate
level of risk to the University or its affiliates. By default, all University data that is not explicitly classified as High risk or Low risk data should be treated as Medium risk data.

A reasonable level of security controls should be applied to medium risk data.
This data is handled in a private/confidential manner.

High Risk Data

Data is classified as high risk when the unauthorized disclosure, alteration or destruction of that data could cause a significant
level of risk to the University or its affiliates.

The highest level of security controls should be applied to high risk data. This data is handled in a restricted manner.

See The Quick Reference Data Handling Chart

Examples

Low Risk Data

NetIDs and email addresses

University information not designated by the individual as “private”

Information in the public domain

Publicly available campus data

Faculty and staff appointments

University marketing materials

University directory information designated for public view

Medium Risk Data

Unpublished research data

Non-public meeting notes

Non-public contracts

Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents

Financial account numbers

University and employee GUID numbers

Donor agreements and agreements in progress

High Risk Data

Protected Health Information (PHI)

Social Security Numbers

Personally Identifiable Information; birth date, personal contact information; IDs/Passports/Driver Licenses

Audit logs or records; infrastructure data

Student records; Student admission data

Credit card numbers

Controlled Unclassified Information

Operational Impacts

(Adhere to Minimum Security for Technology Requirements)

Low Risk Data

Confidentiality: The unauthorized disclosure of low-risk information has little impact to the University

Integrity: The unauthorized modification of or interference with low-risk information has medium to significant impact to the University

Availability: The disruption of access to or use of a low risk information system could be expected to have medium to significant effect on University operations, assets, or individuals.

Medium Risk Data

Confidentiality: The unauthorized disclosure of medium-risk information has medium to significant impact to the University

Integrity: The unauthorized modification of or interference with medium-risk information has medium to significant impact to the University

Availability: The disruption of access to or use of a medium risk information system could be expected to have a serious adverse effect on University operations, assets, or individuals.

High Risk Data

Confidentiality: The unauthorized disclosure of high-risk information has medium to significant impact to the University

Integrity: The unauthorized modification of or interference with high-risk information has medium to significant impact to the University

Availability: The disruption of access to or use of a high-risk information system could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.