Data Classifications & Impact

Data Classifications

Initial baseline classification of data elements is shown below. The exact data elements in each category will be based upon the decision made by the data and business process owners.

Highly Confidential Information:  

This category includes data elements that require protection under laws, regulations, contracts, relevant legal agreements and/or require the institution to provide notification of unauthorized disclosure/security incidents to affected individuals, government agencies or media.

This information is only for the “eyes of the authorized individuals” in any form including paper or electronic. This information is prohibited from being (1) transmitted or stored without encryption.  (2) Handled on networks or systems without appropriate firewall, monitoring, logging, patching, anti-malware and related security controls. 

Documented Data Retention policy is required for handling Highly Confidential information.

The users should contact their IT Security office to ensure protection of data if compensating controls are used to secure the data in place of the above mentioned controls.

The following are the examples of common data types under the “Highly Confidential” information category:

  • Protected health information
  • Social security numbers
  • Payment card numbers
  • Financial account numbers: including university account numbers, student account numbers, and faculty and staff direct deposit account numbers
  • Driver's license numbers
  • Health insurance policy ID numbers
  • Level 4 and 5 of Student Data (SSN, NID, Financial Aid (except work study), loan and bank account numbers, health information, disability, race, ethnicity, citizenship, legal presence, visas, religion)
Confidential Information:

This category includes data elements not usually disclosed to the public but are less sensitive than Highly Confidential data. If a legally required and applicable, Colorado Open Records Act (CORA) request is submitted, these records may be released. This information is protected by (1) Ensuring authenticated access on a need to know basis (2) Not using any electronic mediums and services (Emails, file shares, etc.) other than those provided or approved by the institution to transmit/store data (3) Storage on machines with latest anti-virus, security updates installed and residing on networks that have appropriate security controls in-place (Firewalls, monitoring, logging).

The following are the examples of common data elements under the confidential information category:

  • Faculty and staff personnel records, benefits, salaries, and employment applications
  • Admission applications
  • University insurance records
  • Donor contact information and non-public gift amounts
  • Fundraising information
  • Non-public policies
  • Internal memos and email, and non-public reports
  • Purchase requisitions, cash records, budgetary plans
  • Non-public contracts
  • University and employee ID numbers
  • Level 2 and 3 of Student Data (Military status, veteran's status, GPA, probation, suspension, COF, service indicators, all non-directory data not listed, work study information, gender, birth date, dorm, emergency info, student ID, UUID, residency)
Public Information:
  • Any information on University websites to which the data owner allows access without authentication
  • ​Information made freely available through the institution print material
  • Directory information

Impact

The impact levels are defined as high, moderate, and low. 

High

The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 

A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

CU uses the following as guides for defining impact

  • Financial – direct or indirect monetary costs to the institution where liability must be transferred to an organization which is external to the campus, as the institution is unable to incur the assessed high end of the cost for the risk; this would include for e.g. Use of an insurance carrier
  • Reputation – when the impact results in negative press coverage and/or major political pressure on institutional reputation on a national or international scale
  • Safety – when the impact places campus community members at imminent risk for injury 
  • Legal – when the impact results in significant legal and/or regulatory compliance action against the institution or business.
Moderate:

The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.  A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (2) result in significant remediation cost to the university

CU uses the following as guides for defining impact:

  • Financial – direct or indirect monetary costs where liability is transferred to the campus as the business unit/school is unable pay the assessed high end cost for the risk
  • Reputation – when the impact results in negative press coverage and/or minor political pressure on institutional reputation on a local scale
  • Safety – when the impact noticeably increases likelihood of injury to community member(s)
  • Legal – when the impact results in comparatively lower but not insignificant legal and/or regulatory compliance action against the institution or business.
Low:

The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals. 

CU uses the following as guides for defining impact:

  • Financial – impact results in direct or indirect monetary costs to the institution where business unit/school can solely pay the assessed high end of the  cost for the risk
  • Reputation – when the impact has a nominal impact and/or negligible political pressure on institutional reputation on a local scale
  • Safety – where the impact has nominal impact on safety of campus community members
  • Legal – when the impact results in none or insignificant legal and/or regulatory compliance action against the institution or business.

The definitions are provided only as guides and should not be considered without the context of the broader environment.  While making the impact determinations, it is important to realize that the value of an information type may change during its life cycle. So, information subtypes may include the relevant statements. For example, consider the case of contracts as an information type. The sub types could be Contracts-initial discussion, Contracts-finalized, Contracts-terminated and all these subtypes may have different impact levels for the security categories.