» Data Risk Classification

Chapman is working on classifying our information assets into risk-based categories to assist our community with understanding how to identify and manage data, to protect against unauthorized access.

The Data classification framework is currently in draft format and undergoing reviews.  Your feedback and comments are appreciated and can be sent to infosec@chapman.edu.

End-user Self Assessment

End-user self assessment is key.


Expand All
Collapse All

+ - Purpose

  • Defines the Risk Framework for classifying Chapman data which is a combination of:
    • Regulatory requirements - PII, FERPA, HIPPA, PCI, FISMA etc.
    • Impact to the University mission, safety, finances or reputation
  • Easy for end-user to self-assess data risk and determine appropriate technical resources to use
  • Allow for advance planning for working with research projects and cloud providers

+ - Your Steps to Take

  1. Self-assess using the Framework
  2. Use appropriate IS&T service
  3. Contact either Legal or IS&T department for more detail

Data Risk Classifications at Chapman University

Familiarize yourself with the definitions of low, moderate and high risk in the tabs below:

  • LOW Risk - Public
  • MODERATE Risk
  • HIGH Risk
    • The data is intended for public disclosure
    • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances or reputation.  Examples:
      • Published Research data (at data owner's discretion)
      • Information authorized to be available on or through Chapman's website without Chapman ID authentication
      • Policy and procedure manuals designated by the owner as public
      • Job postings
      • Information in the public domain
      • Publicly available campus maps
    • The data is not generally available to the public
    • The loss of confidentiality, integrity or availability of the data or system could have a mildly adverse impact on our mission, safety, finances or reputation.
      Examples:
      • Unpublished research data (at data owner's discretion)
      • Student records and admission applications
      • Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
      • Non-public Chapman policies and policy manuals
      • Non-public contracts
      • Chapman internal memos and email, non-public reports, budgets, plans, financial info
      • University and employee ID numbers
      • Engineering, design, and operational information regarding Chapman infrastructure
    • Protection of the data is required by law/regulation
    • Chapman is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
    • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
      Examples:
      • Health Information, including Protected Health Information
      • Health Insurance policy ID numbers
      • Social Security Numbers
      • Credit card numbers
      • Financial account numbers
      • Export controlled information under U.S. laws
      • Driver's license numbers
      • Passport and visa numbers
      • Donor contact information and non-public gift information
      • Information required to be kept confidential by a Non-Disclosure Agreement or terms of a contract

Certfied Use of Chapman Software Products

See products listed in the chart below for a definition of their certified for use for various levels of sensitive data. If marked as "tbd" then we are still determining how to classify it.

PRODUCT HIGH RISK DATA MODERATE RISK DATA LOW RISK DATA
Dropbox tbd  YES is certified  YES is certified
OneDrive tbd tbd YES is certified 
Google Drive  tbd YES is certified   YES is certified
Network Share  YES is certified YES is certified  YES is certified 
CrashPlan  YES is certified YES is certified   YES is certified