» Data Risk Classification

Chapman is working on classifying our information assets into risk-based categories to assist our community with understanding how to identify and manage data, to protect against unauthorized access.

The Data classification framework is currently in draft format and undergoing reviews.  Your feedback and comments are appreciated and can be sent to infosec@chapman.edu

Steps:

  • Self-assess using the Framework
  • Use appropriate IS&T service
  • Contact for more detail, either Legal or IS&T department

Data Risk Classifications at Chapman University

  • LOW Risk - Public
  • MODERATE Risk
  • HIGH Risk
    • The data is intended for public disclosure
    • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances or reputation.
      Examples:
      • Published Research data (at data owner's discretion)
      • Information authorized to be available on or through Chapman's website without Chapman ID authentication
      • Policy and procedure manuals designated by the owner as public
      • Job postings
      • Information in the public domain
      • Publicly available campus maps
    • The data is not generally available to the public
    • The loss of confidentiality, integrity or availability of the data or system could have a mildly adverse impact on our mission, safety, finances or reputation.
      Examples:
      • Unpublished research data (at data owner's discretion)
      • Student records and admission applications
      • Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
      • Non-public Chapman policies and policy manuals
      • Non-public contracts
      • Chapman internal memos and email, non-public reports, budgets, plans, financial info
      • University and employee ID numbers
      • Engineering, design, and operational information regarding Chapman infrastructure
    • Protection of the data is required by law/regulation
    • Chapman is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
    • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
      Examples:
      • Health Information, including Protected Health Information
      • Health Insurance policy ID numbers
      • Social Security Numbers
      • Credit card numbers
      • Financial account numbers
      • Export controlled information under U.S. laws
      • Driver's license numbers
      • Passport and visa numbers
      • Donor contact information and non-public gift information
      • Information required to be kept confidential by a Non-Disclosure Agreement or terms of a contract

Purpose

End-user self assessment is key

  • Defines the Risk Framework for classifying Chapman data which is a combination of:
    • Regulatory requirements - PII, FERPA, HIPPA, PCI, FISMA etc.
    • Impact to the University mission, safety, finances or reputation
  • Easy for end-user to self-assess data risk and determine appropriate technical resources to use
  • Allow for advance planning for working with research projects and cloud providers