» Data Risk Classification

Chapman is working on classifying our information assets into risk-based categories to assist our community with understanding how to identify and manage data, to protect against unauthorized access.

The Data classification framework is currently in draft format and undergoing reviews.  Your feedback and comments are appreciated and can be sent to infosec@chapman.edu.

End-user Self Assessment

End-user self assessment is key.


Toggle Section

Data Risk Classifications at Chapman University

Familiarize yourself with the definitions of low, moderate and high risk in the tabs below:

  • LOW Risk - Public
  • MODERATE Risk
  • HIGH Risk
    • The data is intended for public disclosure
    • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances or reputation.  Examples:
      • Published Research data (at data owner's discretion)
      • Information authorized to be available on or through Chapman's website without Chapman ID authentication
      • Policy and procedure manuals designated by the owner as public
      • Job postings
      • Information in the public domain
      • Publicly available campus maps
    • The data is not generally available to the public
    • The loss of confidentiality, integrity or availability of the data or system could have a mildly adverse impact on our mission, safety, finances or reputation.
      Examples:
      • Unpublished research data (at data owner's discretion)
      • Student records and admission applications
      • Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
      • Non-public Chapman policies and policy manuals
      • Non-public contracts
      • Chapman internal memos and email, non-public reports, budgets, plans, financial info
      • University and employee ID numbers
      • Engineering, design, and operational information regarding Chapman infrastructure
    • Protection of the data is required by law/regulation
    • Chapman is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
    • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
      Examples:
      • Health Information, including Protected Health Information
      • Health Insurance policy ID numbers
      • Social Security Numbers
      • Credit card numbers
      • Financial account numbers
      • Export controlled information under U.S. laws
      • Driver's license numbers
      • Passport and visa numbers
      • Donor contact information and non-public gift information
      • Information required to be kept confidential by a Non-Disclosure Agreement or terms of a contract

Certified Use of Chapman Software Products

See products listed in the chart below for a definition of their certified for use for various levels of sensitive data. 

PRODUCT HIGH RISK DATA MODERATE RISK DATA LOW RISK DATA
Dropbox NO  YES is certified  YES is certified
OneDrive YES is certified(*) YES is certified YES is certified 
Google Drive  NO YES is certified   YES is certified
Network Share  YES is certified YES is certified  YES is certified 
CrashPlan  YES is certified YES is certified   YES is certified

* When reviewed and approved by IS&T. Contact infosec@chapman.edu for assistance.