Data or Information Systems are considered High Risk if:
- Data is confidential, restricted, or sensitive
- Protection of the data is required by law, regulation, or sponsor requirements
- The University is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
- The loss of confidentiality, integrity, or availability could have a significant adverse impact on organizational mission, operations, assets, reputation, or on individuals
Information Systems that access, process, transmit, or store High Risk data are required to implement appropriate Minimum Security Standards for High Risk Data, and any additional compliance requirements applicable by agreement or regulation. High Risk data may not be stored on personal devices or in personal cloud environments unless approved through an IT Policy Exception Request.
Additional information on Minimum Security Standards is available in ITS-06: Configuration Management Standard.
Sharing of High Risk data with a third party service provider must be authorized by NU ITS, the Office of the Vice President, and General Counsel. All research data and/or materials transferred to or from the University shall be shared or transferred in accordance with all applicable international, federal, state, University, or sponsor requirements.
High Risk DR/BC Objective
- Data or Information System can be unavailable for 0 – 8 business hours.
- Data or Information System cannot be regenerated or could be with significant effort.
- University business is unable to continue or able to continue with a significant impact.