Overview
To assist users in complying with Data Classifications and Standards, these guidelines provide examples of data that are known to fall into a given category. For further assistance contact the data steward or ITS Security. All data for a given classification must be protected with technical controls outlined in ITS Standards for Data Classifications.
Examples below are not an exhaustive list. A single document containing multiple types of data, must be classified and protected according to the highest risk data that is present.
Per APM 30.11, High Risk data is data that: "The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets."
Examples of elements automatically considered High Risk because of Idaho breach law:
- Social Security Number (SSN) in combination with name or identifier
- (Bank) account number, or credit or debit card number, in combination with any required security code, access code, or password
- Driver's license number in combination with name
Examples of High Risk data because of other determinations, including other legal or contractual requirements:
- Passwords
- U of I donor information, including individual demographics
- Data that must be controlled under NIST 800-171, such as CUI (Controlled Unclassified Information) - Supplemental controls and a System Security Plan are required - please contact the Information Security Office for assistance.
- HIPAA Personal Health Information (PHI), if in association with the UI employee benefits program
- Passport numbers
- Any data managed by UI where encryption at rest is required
Per APM 30.11, Moderate Risk data is data that: "The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets."
Examples of Moderate Risk data:
- FERPA-protected information, unless otherwise classified as High Risk, including
- Personally identifiable information of any student that can identify an individual and their courses, grades
- Student directory information, if the student has requested confidentiality
- Student ID number (including V number) in combination
- V number of an employee (if they are also a student)
- PHI of students, if managed by the university under an approved security plan
- Customer Information (see GLBA), including non-public personally Identifiable Information on any person, including name, address, email address, phone numbers, IP address, biometrics, etc.; any personally identifiable financial information; or any list, description or grouping of consumers derived using non-public personally identifiable financial information.
- Any data that we are obligated to protect under the university Privacy Statement
- Any data, even if intended to be public, are working documents not yet ready for publishing
- Federally-funded research per NSPM-33
- Employee records, including performance evaluations, disciplinary actions, or related info
See Also