Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All University data are classified into one of three sensitivity levels, or classifications:

HIGH Risk Data
MEDIUM Risk Data
LOW Risk Data

Data is classified as high risk when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. 

The highest level of security controls should be applied to high risk data. This data is handled in a RESTRICTED manner.
 

Data is classified as medium risk when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all University data that is not explicitly classified as High risk or Low risk data should be treated as Medium risk data. 

A reasonable level of security controls should be applied to medium risk data.
This data is handled in a PRIVATE/CONFIDENTIAL manner.

Data is classified as low risk when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. 

While little or no controls are required to protect the confidentiality of low risk data, some level of control is required to prevent unauthorized modification or destruction of PUBLIC data.
 

 
EXAMPLES

Protected Health Information (PHI)

Unpublished research data 

NetIDs and email addresses

Social Security Numbers

Non-public meeting notes

University information not designated by the individual as "private"

Personally Identifiable Information; birth date, personal contact information

Non-public contracts

Information in the public domain

Audit logs or records; infrastructure data

Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents

Publicly available campus data

Student records; Student admission data

Financial account numbers

Faculty and staff appointments

Credit card numbers

University and employee GUID numbers

University marketing materials

Controlled Unclassified Information

Donor agreements and agreements in progress

University directory information designated for public view

 
OPERATIONAL IMPACTS

(Adhere to Minimum Security for Technology Requirements)

Confidentiality: The unauthorized disclosure of HIGH risk information

Integrity: The unauthorized modification, destruction of HIGH risk information

Availability: The disruption of access to or use of a HIGH risk information system

could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.

Confidentiality: The unauthorized disclosure of MEDIUM risk information
 

Integrity: The unauthorized modification, destruction of MEDIUM risk information

 

Availability: The disruption of access to or use of a MEDIUM risk information system

 

could be expected to have a serious adverse effect on University operations, assets, or individuals.

Confidentiality: The unauthorized disclosure of LOW risk information

Integrity: The unauthorized modification, destruction of LOW risk information

Availability: The disruption of access to or use of a LOW risk information system

could be expected to have little effect on University operations, assets, or individuals.