UIS.401.1 Data Classification Guidelines

In support of UIS 401 Data Protection and Security Policy

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All University data are classified into one of three sensitivity levels, or classifications:

High Risk Data

Data is classified as high risk when the unauthorized disclosure, alteration or destruction of that data could cause a significant
level of risk to the University or its affiliates.

The highest level of security controls should be applied to high risk data. This data is handled in a restricted manner.

Medium Risk Data

Data is classified as medium risk when the unauthorized disclosure, alteration or destruction of that data could result in a moderate
level of risk to the University or its affiliates. By default, all University data that is not explicitly classified as High risk or Low risk data should be treated as Medium risk data.

A reasonable level of security controls should be applied to medium risk data.
This data is handled in a private/confidential manner.

Low Risk Data

Data is classified as low risk when the unauthorized disclosure, alteration or destruction of that data would result in little or no riskto the University and its affiliates.

While little or no controls are required to protect the confidentiality of low risk data, some level of control is required to prevent unauthorized modification or destruction of public data.

Examples

High Risk Data

Protected Health Information (PHI)

Social Security Numbers

Personally Identifiable Information; birth date, personal contact information

Audit logs or records; infrastructure data

Student records; Student admission data

Credit card numbers

Controlled Unclassified Information

Medium Risk Data

Unpublished research data

Non-public meeting notes

Non-public contracts

Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents

Financial account numbers

University and employee GUID numbers

Donor agreements and agreements in progress

Low Risk Data

NetIDs and email addresses

University information not designated by the individual as “private”

Information in the public domain

Publicly available campus data

Faculty and staff appointments

University marketing materials

University directory information designated for public view

Operational Impacts

(Adhere to Minimum Security for Technology Requirements)

High Risk Data

Confidentiality: The unauthorized disclosure of high risk information

Integrity: The unauthorized modification, destruction of high risk information

Availability: The disruption of access to or use of a high risk information system could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.

Medium Risk Data

Confidentiality: The unauthorized disclosure of medium risk information

Integrity: The unauthorized modification, destruction of medium risk information

Availability: The disruption of access to or use of a medium risk information system could be expected to have a serious adverse effect on University operations, assets, or individuals.

Low Risk Data

Confidentiality: The unauthorized disclosure of low risk information

Integrity: The unauthorized modification, destruction of low risk information

Availability: The disruption of access to or use of a low risk information system could be expected to have little effect on University operations, assets, or individuals.