UIS.401.1 Data Classification Guidelines
In support of UIS 401 Data Protection and Security Policy
Data Classification
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All University data are classified into one of three sensitivity levels, or classifications:
Low Risk Data
Data is classified as low risk when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.
While little or no controls are required to protect the confidentiality of low risk data, some level of control is required to prevent unauthorized modification or destruction of public data.
Medium Risk Data
Data is classified as medium risk when the unauthorized disclosure, alteration or destruction of that data could result in a moderate
level of risk to the University or its affiliates. By default, all University data that is not explicitly classified as High risk or Low risk data should be treated as Medium risk data.
A reasonable level of security controls should be applied to medium risk data.
This data is handled in a private/confidential manner.
High Risk Data
Data is classified as high risk when the unauthorized disclosure, alteration or destruction of that data could cause a significant
level of risk to the University or its affiliates.
The highest level of security controls should be applied to high risk data. This data is handled in a restricted manner.
See The Quick Reference Data Handling Chart
Examples
Low Risk Data
NetIDs and email addresses
University information not designated by the individual as “private”
Information in the public domain
Publicly available campus data
Faculty and staff appointments
University marketing materials
University directory information designated for public view
Medium Risk Data
Unpublished research data
Non-public meeting notes
Non-public contracts
Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents
Financial account numbers
University and employee GUID numbers
Donor agreements and agreements in progress
High Risk Data
Protected Health Information (PHI)
Social Security Numbers
Personally Identifiable Information; birth date, personal contact information; IDs/Passports/Driver Licenses
Audit logs or records; infrastructure data
Student records; Student admission data
Credit card numbers
Controlled Unclassified Information
Operational Impacts
(Adhere to Minimum Security for Technology Requirements)
Low Risk Data
Confidentiality: The unauthorized disclosure of low-risk information has little impact to the University
Integrity: The unauthorized modification of or interference with low-risk information has medium to significant impact to the University
Availability: The disruption of access to or use of a low risk information system could be expected to have medium to significant effect on University operations, assets, or individuals.
Medium Risk Data
Confidentiality: The unauthorized disclosure of medium-risk information has medium to significant impact to the University
Integrity: The unauthorized modification of or interference with medium-risk information has medium to significant impact to the University
Availability: The disruption of access to or use of a medium risk information system could be expected to have a serious adverse effect on University operations, assets, or individuals.
High Risk Data
Confidentiality: The unauthorized disclosure of high-risk information has medium to significant impact to the University
Integrity: The unauthorized modification of or interference with high-risk information has medium to significant impact to the University
Availability: The disruption of access to or use of a high-risk information system could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.