Data Risk Classification and Compliance | Information Technology | University of Pittsburgh
!

Search form

You are here

Home ยป Security

Data Risk Classification and Compliance

Data Risk Classification

The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.

Note: The Pitt IT Security team must assess all systems that transmit, process, or store data classified as Restricted. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.

Risk

Restricted Data
High Risk

Private Data
Moderate Risk

Public Data
Low Risk

Description

Protection of the data is required by law/regulation.

The loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation.

The data is not generally available to the public.

The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on our mission, safety, finances, or reputation.

The data is intended for public disclosure.

The loss of confidentiality, integrity, or availability of the data or system would have little to no adverse impact on our mission, safety, finances, or reputation.

Data Examples

Social Security Number
Date of Birth
Driver's License/State ID number
Bank/Financial account number
Credit/Debit card number
Visa/Passport number
Electronic Protected Health Information (ePHI)
Export controlled information under U.S. laws
Donor contact information and non-public gift information 
Mental health counseling information
Other information protected by contractual agreements
High risk University Intellectual property

Student records and admission applications
Employment applications, personnel files, benefits, salary, personal contact information
Non-public policies, manuals, and contracts
Internal correspondence, non-public reports, budgets, plans, financial info
University and employee ID numbers
Engineering, design, and operational information regarding infrastructure
Moderate risk University Intellectual property

Directory information
Policy and procedure manuals designated by the owner as public
Job postings
Information in the public domain 
Low risk University Intellectual property

Human Subject Research Data Examples*

Identifiable sensitive human subject data

Identifiable non-sensitive human subject data
De-identified sensitive human subject data

Anonymous human subject data
De-identified non-sensitive human subject data

Storage, Transmission, and Collaboration

Storage is prohibited on computing equipment unless registered with and approved by Pitt IT. 
Encryption in transit and at rest is required.
Legal, ethical, or other constraints prevent access without specific authorization.

Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. 
Encryption in transit is required.
May be accessed by Pitt affiliates and non-employees with authorization.

Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems. 
Encryption in transit is not required but is recommended.
No specific access restrictions.

*Human Subject Research Data is considered sensitive when the disclosure of information could have adverse consequences for subjects or others, place them at risk for criminal or civil liability, or damage their financial standing, employability, insurability, or reputation.

 

Data Classification Compliance

Protecting sensitive data is a shared responsibility. Pitt IT provides guidance and resources to store data securely.  You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.

Key
Data type is permitted Data type is permitted.  Please follow the Security Guide where available.
Security consultation required Data type is generally permitted.  Contact Pitt IT for a security consultation before use.
Data type is not permitted Data type is not permitted due to regulatory compliance or high risk.
Data Classification Levels
Restricted High risk, sensitive data – Disclosure may cause severe harm
Private Moderate risk, confidential data – Disclosure may cause harm
Public Low risk internal or public data – Disclosure poses little to no harm

 

Service

Security Guide

 

 Maximum Acceptable Data Class

REGULATED DATA

FERPA

Non-Directory Student Records

GLBA

Student Financial Information

HIPAA

Protected Health Information

NIST

800-171

Controlled Unclassified Information

PCI DSS

Payment Card Information
Enterprise Cloud Computing
Amazon Web Services, 
Google Cloud Platform,
Microsoft Azure		 Restricted Data type is permitted Security consultation required Security consultation required Data type is not permitted Data type is not permitted

Cloud Storage
OneDrive/SharePoint

 Restricted Data type is permitted Security consultation required Data type is permitted Data type is not permitted Data type is not permitted
Cloud Storage
G Suite/Google Drive 		Public Security consultation required Security consultation required Data type is not permitted Data type is not permitted Data type is not permitted
Document Management
Perceptive Content/ImageNow		 Restricted Data type is permitted Security consultation required Data type is not permitted Data type is not permitted Data type is not permitted
Electronic Research Notebooks
LabArchives		 Restricted Data type is permitted Data type is not permitted Security consultation required Data type is not permitted Data type is not permitted
Email Public Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted
Email – Encrypted Restricted Data type is permitted Data type is permitted Data type is permitted Security consultation required Data type is not permitted
Enterprise Storage (Isilon / PowerScale) – Non-restricted Access Zone Private Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted
Enterprise Storage (Isilon / PowerScale) – Restricted Access Zone Restricted Data type is permitted Data type is permitted Data type is permitted Security consultation required Data type is not permitted
eSignature Service (DocuSign)  Restricted Data type is permitted Data type is permitted Data type is permitted Data type is not permitted Data type is not permitted
Learning Management System 
Canvas		 Private Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted
Lecture Capture (Panopto)  Private Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted

Online Survey System (Qualtrics) 

 Restricted Data type is permitted Security consultation required Data type is permitted Data type is not permitted Data type is not permitted
Student Information System (PeopleSoft) Restricted Data type is permitted Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted

Videoconferencing 
Teams

 Restricted Data type is permitted Data type is permitted Data type is permitted Data type is not permitted Data type is not permitted
Videoconferencing 
Zoom 		Private Data type is permitted Data type is not permitted Data type is not permitted Data type is not permitted Data type is not permitted
Videoconferencing
Sensitive/HIPAA Zoom		 Restricted Data type is permitted Data type is permitted Data type is permitted Data type is not permitted Data type is not permitted