UIS.401.1 Data Classification Guidelines

Data is classified as low risk when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.

While little or no controls are required to protect the confidentiality of low risk data, some level of control is required to prevent unauthorized modification or destruction of public data.

Data is classified as medium risk when the unauthorized disclosure, alteration or destruction of that data could result in a moderate
level of risk to the University or its affiliates. By default, all University data that is not explicitly classified as High risk or Low risk data should be treated as Medium risk data.

A reasonable level of security controls should be applied to medium risk data.
This data is handled in a private/confidential manner.

Data is classified as high risk when the unauthorized disclosure, alteration or destruction of that data could cause a significant
level of risk to the University or its affiliates.

The highest level of security controls should be applied to high risk data. This data is handled in a restricted manner.

NetIDs and email addresses

University information not designated by the individual as “private”

Information in the public domain

Publicly available campus data

Faculty and staff appointments

University marketing materials

University directory information designated for public view

Unpublished research data

Non-public meeting notes

Non-public contracts

Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents

Financial account numbers

University and employee GUID numbers

Donor agreements and agreements in progress

Protected Health Information (PHI)

Social Security Numbers

Personally Identifiable Information; birth date, personal contact information; IDs/Passports/Driver Licenses

Audit logs or records; infrastructure data

Student records; Student admission data

Credit card numbers

Controlled Unclassified Information

Confidentiality: The unauthorized disclosure of low-risk information has little impact to the University

Integrity: The unauthorized modification of or interference with low-risk information has medium to significant impact to the University

Availability: The disruption of access to or use of a low risk information system could be expected to have medium to significant effect on University operations, assets, or individuals.

Confidentiality: The unauthorized disclosure of medium-risk information has medium to significant impact to the University

Integrity: The unauthorized modification of or interference with medium-risk information has medium to significant impact to the University

Availability: The disruption of access to or use of a medium risk information system could be expected to have a serious adverse effect on University operations, assets, or individuals.

Confidentiality: The unauthorized disclosure of high-risk information has medium to significant impact to the University

Integrity: The unauthorized modification of or interference with high-risk information has medium to significant impact to the University

Availability: The disruption of access to or use of a high-risk information system could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.