Data Risk Classification and Compliance | Information Technology | University of Pittsburgh
!

Data Risk Classification and Compliance

Data Risk Classification

The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.

Note: The Pitt IT Security team must assess all systems that transmit, process, or store data classified as Restricted. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.

Risk

Restricted Data
High Risk

Private Data
Moderate Risk

Public Data
Low Risk

Description

Protection of the data is required by law/regulation.

The loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation.

The data is not generally available to the public.

The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on our mission, safety, finances, or reputation.

The data is intended for public disclosure.

The loss of confidentiality, integrity, or availability of the data or system would have little to no adverse impact on our mission, safety, finances, or reputation.

Data Examples

Social Security Number
Date of Birth
Driver's License/State ID number
Bank/Financial account number
Credit/Debit card number
Visa/Passport number
Electronic Protected Health Information (ePHI)
Export controlled information under U.S. laws
Donor contact information and non-public gift information 
Mental health counseling information
Other information protected by contractual agreements
High risk University Intellectual property

Student records and admission applications
Employment applications, personnel files, benefits, salary, personal contact information
Non-public policies, manuals, and contracts
Internal correspondence, non-public reports, budgets, plans, financial info
University and employee ID numbers
Engineering, design, and operational information regarding infrastructure
Moderate risk University Intellectual property

Directory information
Policy and procedure manuals designated by the owner as public
Job postings
Information in the public domain 
Low risk University Intellectual property

Human Subject Research Data Examples*

Identifiable sensitive human subject data

Identifiable non-sensitive human subject data
De-identified sensitive human subject data

Anonymous human subject data
De-identified non-sensitive human subject data

Storage, Transmission, and Collaboration

Storage is prohibited on computing equipment unless registered with and approved by Pitt IT. 
Encryption in transit and at rest is required.
Legal, ethical, or other constraints prevent access without specific authorization.

Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. 
Encryption in transit is required.
May be accessed by Pitt affiliates and non-employees with authorization.

Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. 
Encryption in transit is not required but is recommended.
No specific access restrictions.

*Human Subject Research Data is considered sensitive when the disclosure of information could have adverse consequences for subjects or others, place them at risk for criminal or civil liability, or damage their financial standing, employability, insurability, or reputation.

 

Data Classification Compliance

Protecting sensitive data is a shared responsibility. Pitt IT provides guidance and resources to store data securely.  You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.

Service Maximum Acceptable Data Class

FERPA

Non-Directory Student Records

GLBA

Financial Aid

HIPAA

Protected Health Information

NIST

Controlled Unclassified Information

PCI DSS

Payment Card Information

Cloud Platforms
Amazon Web Services, 
Google Cloud Platform,
Microsoft Azure
Restricted Data type is permitted Security consultation required Security consultation required Security consultation required Security consultation required
Cloud Storage
OneDrive/SharePoint
Restricted Data type is permitted Security consultation required Security consultation required Security consultation required Security consultation required
Cloud Storage
G Suite/Google Drive
Public Security consultation required Security consultation required Data type is not permitted Security consultation required Data type is not permitted
Document Management
ImageNow
Restricted Data type is permitted Security consultation required Data type is not permitted Security consultation required Security consultation required
Electronic Research Notebooks
LabArchives
Restricted Data type is permitted Data type is not permitted Security consultation required Security consultation required Data type is not permitted
Email Public Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted
Email – Encrypted Restricted Security consultation required Security consultation required Security consultation required Security consultation required Data type is not permitted
eSignature Service 
DocuSign
Restricted Data type is permitted Data type is permitted Data type is permitted Security consultation required Security consultation required
Learning Management System 
Canvas
Private Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted
Online Survey System 
Qualtrics
Restricted Data type is permitted Security consultation required Security consultation required Security consultation required Security consultation required
Student Information System 
PeopleSoft
Restricted Data type is permitted Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted
Videoconferencing 
Teams
Restricted Data type is permitted Data type is permitted Data type is permitted Security consultation required Security consultation required
Videoconferencing 
Zoom
Private Data type is permitted Data type is not permitted Data type is not permitted Security consultation required Data type is not permitted
Videoconferencing
Sensitive/HIPAA Zoom
Restricted Data type is permitted Data type is permitted Data type is permitted Security consultation required Security consultation required

 

Key
Data type is permitted Data type is permitted
Security consultation required Security consultation required
Data type is not permitted Data type is not permitted

 

 

 

 

 

 

Data Classification Levels
Restricted High risk, sensitive data – Disclosure may cause severe harm
Private Moderate risk, confidential data – Disclosure may cause harm
Public Low risk internal or public data – Disclosure poses little to no harm