Data Risk Classification and Compliance Operating Standard

Data Risk Classification

The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.

Note: The Pitt IT Security team must assess all systems that transmit, process, or store data classified as Restricted. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.

Risk	Restricted Data High Risk	Private Data Moderate Risk	Public Data Low Risk
Definition	Data that must be protected by law, regulation, or University policy. Loss of confidentiality, integrity, or availability of this data or systems on which it is stored and used could have a severe adverse impact on the University's mission, safety, finance, or reputation. The loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation.	Data that is not generally available to the general public. Loss of confidentiality, integrity, or availability of this data or the systems on which it is stored and used could have an adverse impact on the University's mission, safety, finance, or reputation. The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on our mission, safety, finances, or reputation.	Data that is intended for public disclosure and use. Loss of confidentiality, integrity, or availability of this data would have little to no adverse impact on the University's mission, safety, finance, or reputation. The loss of confidentiality, integrity, or availability of the data or system would have little to no adverse impact on our mission, safety, finances, or reputation.
Data Examples	Social Security Number Date of Birth Driver's License/State ID number Bank/Financial account number Credit/Debit card number Visa/Passport number Electronic Protected Health Information (ePHI) Controlled Unclassified Information (CUI) Export controlled information under U.S. laws Donor contact information and non-public gift information Mental health counseling information Other information protected by contractual agreements High risk University Intellectual property	Student records and admission applications Employment applications, personnel files, benefits, salary, personal contact information Non-public policies, manuals, and contracts Internal correspondence, non-public reports, budgets, plans, financial info University and employee ID numbers Engineering, design, and operational information regarding infrastructure Moderate risk University Intellectual property	Directory information Policy and procedure manuals designated by the owner as public Job postings Information in the public domain Low risk University Intellectual property
Human Subject Research Data Examples*	Identifiable sensitive human subject data	Identifiable non-sensitive human subject data De-identified sensitive human subject data	Anonymous human subject data De-identified non-sensitive human subject data
Storage, Transmission, and Collaboration	Storage is prohibited on computing equipment unless registered with and approved by Pitt IT. Encryption in transit and at rest is required. Legal, ethical, or other constraints prevent access without specific authorization.	Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. Encryption in transit is required. May be accessed by Pitt affiliates and non-employees with authorization.	Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. Encryption in transit is not required but is recommended. No specific access restrictions.

*Human Subject Research Data is considered sensitive when the disclosure of information could have adverse consequences for subjects or others, place them at risk for criminal or civil liability, or damage their financial standing, employability, insurability, or reputation.

Data Classification Compliance

Protecting sensitive data is a shared responsibility. Pitt IT provides guidance and resources to store data securely. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable.

Entering data into non-approved AI tools such as DeepSeek or ChatGPT carries the inherent risk of that data being compromised or mishandled, potentially leading to serious consequences such as privacy violations, financial loss, or reputational damage. The use of restricted or private data in these tools is strictly prohibited.

Please contact the Technology Help Desk with questions about the appropriate protection of information.

Key
	Data type is permitted. Please follow the Security Guide where available.
	Data type is generally permitted. Contact Pitt IT for a security consultation before use.
	Data type is not permitted due to regulatory compliance or high risk.

Data Classification Levels
Restricted	High risk, sensitive data – Disclosure may cause severe harm
Private	Moderate risk, confidential data – Disclosure may cause harm
Public	Low risk internal or public data – Disclosure poses little to no harm

Service Security Guide	Maximum Acceptable Data Class	REGULATED DATA
Service Security Guide	Maximum Acceptable Data Class	FERPA Non-Directory Student Records	GLBA Student Financial Information	HIPAA Protected Health Information	NIST 800-171 Controlled Unclassified Information	PCI DSS Payment Card Information
Enterprise Cloud Computing Amazon Web Services, Google Cloud Platform, Microsoft Azure	Restricted
Cloud Storage OneDrive/SharePoint OneDrive Security Guide SharePoint Security Guide	Restricted
Cloud Storage G Suite/Google Drive Google Drive Security Guide	Public
Document Management Perceptive Content/ImageNow	Restricted
eFax	Restricted
Electronic Research Notebooks LabArchives	Restricted
Email	Public
Email – Encrypted	Restricted
Enterprise Storage (Isilon / PowerScale) – Non-restricted Access Zone	Private
Enterprise Storage (Isilon / PowerScale) – Restricted Access Zone	Restricted
eSignature Service (DocuSign) eSignature Security Guide	Restricted
Learning Management System Canvas	Private
Lecture Capture (Panopto) Panopto Security Guide	Private
Microsoft Copilot for Microsoft 365 Copilot for Microsoft 365 Security Guide	Restricted
Online Survey System (Qualtrics) Qualtrics Security Guide	Restricted
Student Information System (PeopleSoft)	Restricted
Videoconferencing Teams Teams Security Guide	Restricted
Videoconferencing Zoom Zoom Security Guide	Private
Videoconferencing Sensitive/HIPAA Zoom	Restricted

Security Standards and Best Practices

Security Monitoring and Alerts

Information Technology regularly reviews news about major security vulnerabilities that impact computers widely used by the University community, and monitors for attacks directed against University computers.

When University computers are at risk, we post security alerts here on our website.

Stay Updated

Stay updated on the latest Pitt IT news, services, and events:

Subscribe to the Pitt IT e-Newsletter:
- Student IT Newsletter
- Faculty & Staff IT Newsletter
Read the Pitt IT Blog, Panther Bytes
Like and follow @UPittIT on Facebook, Twitter or Instagram
Sign up to receive text updates:
- For IT News, text* itnews username to 970-610-6092
- For IT Alerts, text* italerts username to 970-610-6092

* Standard text messaging charges apply

Information Technology

Search form

Search form

You are here

Data Risk Classification and Compliance Operating Standard