UIS.401.1T High Risk Data Table
High Risk Data
The University Information Security Office (UISO) has defined several types of High Risk data based on University, state and federal regulatory requirements.
An Authentication Verifier is a piece of information that is held in confidence by an individual and used to validate a person’s or system’s identity. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:
Cryptographic private keys
Covered Financial Information
University Gramm-Leach-Bliley Act (GLBA) Policy.
Protected Health Information (“PHI”)
PHI is defined as “individually identifiable health information” transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium by a Covered Component, as defined in Georgetown University’s HIPAA Policy. PHI is considered individually identifiable if it contains one or more of the following identifiers:
birth date, admissions date, discharge date, date of death and exact age if over 89)
Telephone numbers/Fax numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate number
Device identifiers and serial numbers
Universal Resource Locators (URLs) or web address that can indicate the location of PHI data or mechanisms to retrieve the PHI data.
Internet protocol (IP) addresses
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic or code that could identify an individual
Per Georgetown University’s HIPAA Policy, PHI does not include education records or treatment records covered by the Family Educational Rights and Privacy Act or employment records held by the University in its role as an employer.
Export Controlled Materials
The export regulations define export controlled materials as:
Any oral, written, electronic or visual disclosure, shipment, transfer or transmission outside of the United States to anyone, including a U.S. citizen, of any commodity, technology (information, technical data, or assistance) or software/code
Any oral, written, electronic or visual disclosure, transfer or transmission to any person or entity of a controlled commodity, technology or software/codes with an intent to transfer it to a non-U.S. entity or individual, wherever located (even to a foreign student or colleague at Georgetown University).
Any transfer of these items or information to a foreign embassy or affiliate.
Federal Tax Information (“FTI”)
FTI is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services.
Payment Card Information
Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
CVC2, CVV2 or CID value
PIN or PIN block
Contents of a credit card’s magnetic stripe
Personally Identifiable Student Records
Personally Identifiable Student Records are defined as any Student Records that contain one or more of the following personal identifiers:
Name of the student
Name of the student’s parent(s) or other family member(s)
Social security number
Student’s GUID number
A list of personal characteristics that would make the student’s identity easily traceable
Any other information or identifier that would make the student’s identity easily traceable
See Georgetown University’s Student Record Policy for more information.
Personally Identifiable Information (PII)
PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
Social security number
State-issued driver’s license number
State-issued identification card number
Financial account number in combination with a security code, access code or password that would permit access to the account
Medical and/or health insurance information
Controlled Unclassified Information (CUI)
Documents and data labeled or marked ‘For Official Use Only’ are a pre-cursor of Controlled Unclassified Information (CUI) as defined by National Archives (NARA)
Personal Data from European Union (EU)*
Where applicable, the EU’s General Data Protection Regulation (GDPR) defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier including:
An identification number
An online identifier
One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Information related to Georgetown’s network devices and infrastructure, power plant services and configurations