»Data Risk Classification

Chapman is working on classifying our information assets into risk-based categories to assist our community with understanding how to identify and manage data, to protect against unauthorized access.

The Data classification framework is currently in draft format and undergoing reviews. Your feedback and comments are appreciated and can be sent to infosec@chapman.edu.

End-user Self Assessment

End-user self assessment is key.

Toggle Section

Defines the Risk Framework for classifying Chapman data, which is a combination of:
- Regulatory requirements - PII, FERPA, HIPAA, PCI, FISMA, etc.
- Impact to the University's mission, safety, finances, or reputation.
Easy for end-user to self-assess data risk and determine appropriate technical resources to use.
Allow for advance planning for working with research projects and cloud providers.

Self-assess using the Framework.
Use the appropriate IS&T service.
Contact either the Legal or the IS&T department for more details.

Data Risk Classifications at Chapman University

Familiarize yourself with the definitions of low, moderate and high risk in the tabs below:

Toggle Section

The data is intended for public disclosure
The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.
- Examples:
  - Published Research data (at data owner's discretion)
  - Information authorized to be available on or through Chapman's website without Chapman ID authentication
  - Policy and procedure manuals designated by the owner as public
  - Job postings
  - Information in the public domain
  - Publicly available campus maps

The data is not generally available to the public.
The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.
- Examples:
  - Unpublished research data (at data owner's discretion)
  - Student records and admission applications
  - Faculty/staff employment applications, personnel files, benefits, salary, and personal contact information
  - Non-public Chapman policies and policy manuals
  - Non-public contracts
  - Chapman internal memos and emails, non-public reports, budgets, plans, and financial info
  - University and employee ID numbers
  - Engineering, design, and operational information regarding Chapman infrastructure

Protection of the data is required by law/regulation
Chapman is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
- Examples:
  - Health Information, including Protected Health Information
  - Health Insurance policy ID numbers
  - Social Security Numbers
  - Credit card numbers
  - Financial account numbers
  - Export controlled information under U.S. laws
  - Driver's license numbers
  - Passport and visa numbers
  - Donor contact information and non-public gift information
  - Information required to be kept confidential by a Non-Disclosure Agreement or terms of a contract

Certified Use of Chapman Software Products

See products listed in the chart below for a definition of their certified for use for various levels of sensitive data.

PRODUCT	HIGH RISK DATA	MODERATE RISK DATA	LOW RISK DATA
Dropbox	NO
OneDrive
Google Drive	NO
Network Share
CrashPlan

When reviewed and approved by IS&T. Contact infosec@chapman.edu for assistance.
To see the list of approved AI software and their data classification, please visit the AI Hub.

»Data Risk Classification

End-user Self Assessment

Purpose

Your Steps to Take

Data Risk Classifications at Chapman University

LOW Risk - Public

MODERATE Risk

HIGH Risk

Certified Use of Chapman Software Products