You are here
Data Risk Classification and Compliance
Data Risk Classification
The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.
Note: The Pitt IT Security team must assess all systems that transmit, process, or store data classified as Restricted. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.
Risk |
Restricted Data |
Private Data |
Public Data |
---|---|---|---|
Description |
Protection of the data is required by law/regulation. The loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation. |
The data is not generally available to the public. The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on our mission, safety, finances, or reputation. |
The data is intended for public disclosure. The loss of confidentiality, integrity, or availability of the data or system would have little to no adverse impact on our mission, safety, finances, or reputation. |
Data Examples |
Social Security Number |
Student records and admission applications |
Directory information |
Human Subject Research Data Examples* |
Identifiable sensitive human subject data |
Identifiable non-sensitive human subject data |
Anonymous human subject data |
Storage, Transmission, and Collaboration |
Storage is prohibited on computing equipment unless registered with and approved by Pitt IT. |
Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. |
Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. |
*Human Subject Research Data is considered sensitive when the disclosure of information could have adverse consequences for subjects or others, place them at risk for criminal or civil liability, or damage their financial standing, employability, insurability, or reputation.
Data Classification Compliance
Protecting sensitive data is a shared responsibility. Pitt IT provides guidance and resources to store data securely. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.
Key | |
---|---|
![]() |
Data type is permitted. Please follow the Security Guide where available. |
![]() |
Data type is generally permitted. Contact Pitt IT for a security consultation before use. |
![]() |
Data type is not permitted due to regulatory compliance or high risk. |
Data Classification Levels | |
---|---|
Restricted | High risk, sensitive data – Disclosure may cause severe harm |
Private | Moderate risk, confidential data – Disclosure may cause harm |
Public | Low risk internal or public data – Disclosure poses little to no harm |
Service Security Guide
|
Maximum Acceptable Data Class |
REGULATED DATA |
||||
---|---|---|---|---|---|---|
Non-Directory Student Records |
Student Financial Information |
Protected Health Information |
Payment Card Information |
|||
Enterprise Cloud Computing Amazon Web Services, Google Cloud Platform, Microsoft Azure |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Cloud Storage |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Cloud Storage G Suite/Google Drive |
Public | ![]() |
![]() |
![]() |
![]() |
![]() |
Document Management Perceptive Content/ImageNow |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Electronic Research Notebooks LabArchives |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Public | ![]() |
![]() |
![]() |
![]() |
![]() |
|
Email – Encrypted | Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Enterprise Storage (Isilon / PowerScale) – Non-restricted Access Zone | Private | ![]() |
![]() |
![]() |
![]() |
![]() |
Enterprise Storage (Isilon / PowerScale) – Restricted Access Zone | Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
eSignature Service (DocuSign) | Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Learning Management System Canvas |
Private | ![]() |
![]() |
![]() |
![]() |
![]() |
Lecture Capture (Panopto) | Private | ![]() |
![]() |
![]() |
![]() |
![]() |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
|
Student Information System (PeopleSoft) | Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |
|
Videoconferencing Zoom |
Private | ![]() |
![]() |
![]() |
![]() |
![]() |
Videoconferencing Sensitive/HIPAA Zoom |
Restricted | ![]() |
![]() |
![]() |
![]() |
![]() |