Guidelines to Identify High Risk Data

Overview

To assist users in complying with Data Classifications and Standards, these guidelines provide examples of data that are known to fall into a given category. For further assistance contact the data steward or ITS Security. All data for a given classification must be protected with technical controls outlined in ITS Standards for Data Classifications.

Examples below are not an exhaustive list. A single document containing multiple types of data, must be classified and protected according to the highest risk data that is present.

High Risk Data

Per APM 30.11, High Risk data is data that: "The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets."

Examples of elements automatically considered High Risk because of Idaho breach law:

  • Social Security Number (SSN) in combination with name or identifier
  • (Bank) account number, or credit or debit card number, in combination with any required security code, access code, or password
  • Driver's license number in combination with name

Examples of High Risk data because of other determinations, including other legal or contractual requirements:

  • Passwords
  • U of I donor information, including individual demographics
  • Data that must be controlled under NIST 800-171
  • HIPAA Personal Health Information (PHI), if in association with the UI employee benefits program
  • Passport numbers
  • Any data managed by UI where encryption at rest is required

Moderate Risk Data

Per APM 30.11, Moderate Risk data is data that: "The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets."

Examples of Moderate Risk data:

  • FERPA-protected information, unless otherwise classified as High Risk, including
    • Personally identifiable information of any student that can identify an individual and their courses, grades
    • Student directory information, if the student has requested confidentiality
    • Student ID number (including V number) in combinationn
    • V number of an employee (if they are also a student)
    • PHI of students, if managed by the university
  • Personally Identifiable Information on any person, including name, address, email address, phone numbers, IP address, biometrics, etc.
  • Any data that we are obligated to protect under the university Privacy Statement 
  • Any data, even if intended to be public, are working documents not yet ready for publishing
  • Employee records, including performance evaluations, disciplinary actions, or related info

 

See Also

Details

Article ID: 1659
Created
Wed 6/3/20 5:33 PM
Modified
Thu 6/18/20 11:55 AM