The University of Nebraska is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity and availability of information important to the University's mission. With the adoption of Executive Memorandum No. 42 – Policy on Risk Classification and Minimum Security Standards – data risk classifications have been established for University of Nebraska data and information systems. All university data and information systems can be classified into one of the following categories: Low Risk, Medium Risk, or High Risk. Each risk classification utilizes appropriate Minimum Security Standards that align to National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171). Some data may also be classified by agreement or regulation requiring additional compliance requirements.
This page is intended to be a summary or quick reference for those seeking risk classification guidance for Executive Memorandum No. 42 when accessing, processing, transmitting, or storing university data and information systems. Information on Minimum Security Standards is available in ITS-06: Configuration Management Standard.
A Risk Classification Self Assessment tool is available to assist with identifying the appropriate risk classification for data or an information system following a high watermark methodology where the highest classification of any data element determines the overall risk classification of the system. Example: If a single element of High Risk is identified and 10 elements of low risk are also identified during classification, the overall classification of the system will be High Risk. The assessment will include items related to Disaster Recovery (DR) and Business Continuity (BC) as part of the overall risk classification. The NU ITS Security Team is also available for assistance with classifying institutional data and information systems.