The University of Nebraska is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity and availability of information important to the University's mission. With the adoption of Executive Memorandum No. 42 – Policy on Risk Classification and Minimum Security Standards – data risk classifications have been established for University of Nebraska data and information systems. All university data and information systems can be classified into one of the following categories: Low Risk, Medium Risk, or High Risk. Each risk classification utilizes appropriate Minimum Security Standards that align to National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171). Some data may also be classified by agreement or regulation requiring additional compliance requirements.
This page is intended to be a summary or quick reference for those seeking risk classification guidance for Executive Memorandum No. 42 when accessing, processing, transmitting, or storing university data and information systems. Information on Minimum Security Standards is available in ITS-06: Configuration Management Standard.
A Risk Classification Self Assessment tool is available to assist with identifying the appropriate risk classification for data or an information system following a high watermark methodology where the highest classification of any data element determines the overall risk classification of the system. Example: If a single element of High Risk is identified and 10 elements of low risk are also identified during classification, the overall classification of the system will be High Risk. The assessment will include items related to Disaster Recovery (DR) and Business Continuity (BC) as part of the overall risk classification. The ITS Security Team is also available for assistance with classifying institutional data and information systems.
High Risk Data
Data or Information Systems are considered High Risk if:
- Data is confidential, restricted, or sensitive
- Protection of the data is required by law, regulation, or sponsor requirements
- The University is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
- The loss of confidentiality, integrity, or availability could have a significant adverse impact on organizational mission, operations, assets, reputation, or on individuals
Information Systems that access, process, transmit, or store High Risk data are required to implement appropriate Minimum Security Standards for High Risk Data, and any additional compliance requirements applicable by agreement or regulation. High Risk data may not be stored on personal devices or in personal cloud environments unless approved through an IT Policy Exception Request.
Additional information on Minimum Security Standards is available in ITS-06: Configuration Management Standard.
Sharing of High Risk data with a third party service provider must be authorized by NU ITS, the Office of the Vice President, and General Counsel. All research data and/or materials transferred to or from the University shall be shared or transferred in accordance with all applicable international, federal, state, University, or sponsor requirements.
Examples of High Risk Data Elements
-
Social Security Number
-
Tax Identification Number
-
Driver's License Number
-
State Issued ID Card Number
-
Passport Number
-
Visa Number
-
Unique biometric data: such as a fingerprint, voice print, or retina or iris image, or other unique physical representation.
-
Credit or Debit Card Numbers (PCI)
-
Financial Account Numbers
-
Protected Health Information (PHI)
-
International Traffic in Arms Regulations (ITAR) Information
-
Federally Controlled Unclassified Information (CUI)
-
Identifiable human subject research data
-
Data on Student Illegal Behaviors
-
Data on Student Drug or Alcohol Abuse
-
Data on Student Sexual Behavior
-
Student mental health or other sensitive health or genetic information
-
Student Health Information
-
Student financial data (Loans, aid, grants)
-
Student Payment History
-
Employee W-2, W-4, W-9, 1099, etc...
-
Employee grievance information
-
Employee disciplinary records
-
Decoding table for coded Human subjects research data
-
Other data covered by contractual, regulatory, or statutory requirements
High Risk DR/BC Objective
- Data or Information System can be unavailable for 0 – 8 business hours.
- Data or Information System cannot be regenerated or could be with significant effort.
- University business is unable to continue or able to continue with a significant impact.
Medium Risk
Data or Information Systems are Medium Risk if they are not considered to be High Risk; and:
- The data is not legally available to the public; or
- The loss of confidentiality, integrity, or availability could have a moderate adverse impact on organizational mission, operations, assets, reputation, or on individuals.
Information Systems that access, process, transmit, or store Medium Risk data are required to implement appropriate Minimum Security Standards for Medium Risk Data, and any additional compliance requirements applicable by agreement or regulation. Medium Risk data may not be stored on personal devices or in personal cloud environments unless approved through an IT Policy Exception Request.
Sharing of Medium Risk data with a third party service provider must be authorized by NU ITS, the Office of the Vice President, and General Counsel. All research data and/or materials transferred to or from the University shall be shared or transferred in accordance with all applicable international, federal, state, University, or sponsor requirements.
ITS - IT Risk Classification - Examples of Medium Risk Data Elements
- Personally identifiable student, faculty, and staff information/records that do not contain high risk data
- Engineering, design, and operational information regarding the University’s physical or technical infrastructure
- Human subjects research data that does not contain high risk data
- Information that could fall under a dual use category as having both military and civilian application
- All internal communications that do not contain High Risk Data
- All internal memos and email that do not contain High Risk Data
- Non-public reports
- Budgets, plans, and financial information
- IT planning or audit records (logs, assessments, reports, plans, diagrams, etc)
- Student transcripts and grades (FERPA)
- Student degree information
- Student class schedules
- Student advising records
- Student disciplinary records
- Athletics or department recruiting information
- NUID
- Employee payroll and/or benefits information
- Employee disability status
- Employee biographic/demographic data
- Employee date and location of birth
- Employee country of citizenship
- Employee marital status
Medium Risk DR/BC Objective
- Data or Information System can be unavailable for 8:01 – 24 business hours.
- Data or Information System can be regenerated with moderate effort.
- University business can continue with a moderate impact.
Low Risk Data
Data or Information Systems are classified as Low Risk if:
- They are not considered to be Medium or High Risk;
- The data can generally be made available to the public without harm to the University, entities with an affiliation to the University, or to individuals; and
- The loss of confidentiality, integrity, or availability would have a limited adverse effect on organizational mission, operations, assets, regulation, or on individuals.
Information Systems that access, process, transmit, or store Low Risk data are required to implement appropriate Minimum Security Standards for Low Risk Data.
Examples of Low Risk Data Elements
- Surveys of personal opinions
- Export Administration Regulation 99 (EAR 99)
- Publicly available manuscripts and associated data
- Public directory information
- Personal data - Non University data
- University job postings
- Publicly available campus maps
- University of Nebraska Human Resources Handbook for Policies
- Publicly available University Policies
- Other information not listed
- Personal, Non-University Data (Only your own data, not others)
- Data or Information System can be unavailable for 24+ business hours.
- Data or Information System can be regenerated with limited effort.
- University business can continue with a limited impact.