Skip to main content
University of Nebraska Logo

Medium Risk Data

Data or Information Systems are Medium Risk if they are not considered to be High Risk; and:

  • The data is not legally available to the public; or
  • The loss of confidentiality, integrity, or availability could have a moderate adverse impact on organizational mission, operations, assets, reputation, or on individuals.

Information Systems that access, process, transmit, or store Medium Risk data are required to implement appropriate Minimum Security Standards for Medium Risk Data, and any additional compliance requirements applicable by agreement or regulation. Medium Risk data may not be stored on personal devices or in personal cloud environments unless approved through an IT Policy Exception Request.

Sharing of Medium Risk data with a third party service provider must be authorized by NU ITS, the Office of the Vice President, and General Counsel. All research data and/or materials transferred to or from the University shall be shared or transferred in accordance with all applicable international, federal, state, University, or sponsor requirements.

Medium Risk DR/BC Objective

  • Data or Information System can be unavailable for 8:01 – 24 business hours.
  • Data or Information System can be regenerated with moderate effort.
  • University business can continue with a moderate impact.

IT Risk Classification

Contact NU ITS Security

Need assistance or have questions related to IT Security? Email the NU ITS Security team at security@nebraska.edu for support.

 

IT Policy Exception Request
IT Policies & Standards

Not sure how to classify your data?

Take the Risk Classification Self-Assessment

Examples of Medium Risk Data

  • Personally identifiable student, faculty, and staff information/records that do not contain high risk data
  • Engineering, design, and operational information regarding the University’s physical or technical infrastructure
  • Human subjects research data that does not contain high risk data
  • Information that could fall under a dual use category as having both military and civilian application
  • All internal communications that do not contain High Risk Data
  • All internal memos and email that do not contain High Risk Data
  • Non-public reports
  • Budgets, plans, and financial information
  • IT planning or audit records (logs, assessments, reports, plans, diagrams, etc)
  • Student transcripts and grades (FERPA)
  • Student degree information
  • Student class schedules
  • Student advising records
  • Student disciplinary records
  • Athletics or department recruiting information
  • NUID
  • Employee payroll and/or benefits information
  • Employee disability status
  • Employee biographic/demographic data
  • Employee date and location of birth
  • Employee country of citizenship
  • Employee marital status