How to identify "High Risk" data?

Overview

To assist users in complying with Data Classifications and Standards, these guidelines provide examples of data that are known to fall into a given category. For further assistance contact the data steward or ITS Security. All data for a given classification must be protected with technical controls outlined in ITS Standards for Data Classifications.

Examples below are not an exhaustive list. A single document containing multiple types of data, must be classified and protected according to the highest risk data that is present.

 

High Risk Data

Per APM 30.11, High Risk data is data that: "The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets."

Examples of elements automatically considered High Risk because of Idaho breach law:

  • Social Security Number (SSN) in combination with name or identifier
  • (Bank) account number, or credit or debit card number, in combination with any required security code, access code, or password
  • Driver's license number in combination with name

Examples of High Risk data because of other determinations, including other legal or contractual requirements:

  • Passwords
  • U of I donor information, including individual demographics
  • Data that must be controlled under NIST 800-171, such as CUI (Controlled Unclassified Information) - Supplemental controls and a System Security Plan are required - please contact the Information Security Office for assistance.
  • HIPAA Personal Health Information (PHI), if in association with the UI employee benefits program
  • Passport numbers
  • Any data managed by UI where encryption at rest is required

 

Moderate Risk Data

Per APM 30.11, Moderate Risk data is data that: "The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets."

Examples of Moderate Risk data:

  • FERPA-protected information, unless otherwise classified as High Risk, including
    • Personally identifiable information of any student that can identify an individual and their courses, grades
    • Student directory information, if the student has requested confidentiality
    • Student ID number (including V number) in combination
    • V number of an employee (if they are also a student)
    • PHI of students, if managed by the university under an approved security plan
  • Customer Information (see GLBA), including non-public personally Identifiable Information on any person, including name, address, email address, phone numbers, IP address, biometrics, etc.; any personally identifiable financial information; or any list, description or grouping of consumers derived using non-public personally identifiable financial information.
  • Any data that we are obligated to protect under the university Privacy Statement 
  • Any data, even if intended to be public, are working documents not yet ready for publishing
  • Federally-funded research per NSPM-33
  • Employee records, including performance evaluations, disciplinary actions, or related info

 

Additional Resources

See Also

 

 

Request Service Print Article

Details

Article ID: 1659
Created
Wed 6/3/20 5:33 PM
Modified
Wed 10/2/24 8:58 AM

Related Articles (5)

Storage locations approved by OIT for storage of university data, consistent with U of I policies and standards.
This guide describes the current settings enforced for High Risk data access on macOS, Windows, iOS, and Android.
Instructions for user setup of Filevault encryption on macOS.
A guide for a new UI employee covering basic OIT services and general orientation.
Learn about the requirements for SharePoint Storage locations.

Related Services / Offerings (1)

Request help with Microsoft OneDrive, SharePoint and the S:\ drive. This includes OneDrive, department file shares, and file sync capabilities.