About Adverse Impact

Equally important to classification, sensitive university information is also evaluated for the potential adverse impact to CU if the information has a loss of confidentiality, integrity, or availability. The impact levels are high, moderate, and low. The Adverse Impact Table below provides descriptions for each level.

The university considers the following when determining the adverse impact level:

Financial costs, direct or indirect
Reputational damage
Safety of community members
Legal or regulatory compliance action

Adverse Impact Table

Level	Description	Financial	Reputation	Safety	Legal
High	The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect might result in: Severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions Major damage to organizational assets Major financial loss Severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries	Direct or indirect monetary costs to the university to which liability must be transferred to an organization that is external to the campus, as the university is unable to incur the assessed high end of the cost for the risk	Negative press coverage and/or major political pressure on university reputation on a national or international scale	Places campus community members at imminent risk for injury	Significant legal and/or regulatory compliance action against the university or business
Moderate	The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect might result in: Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced Significant remediation cost to the university	Direct or indirect monetary costs to which liability is transferred to the campus as the business unit/school is unable pay the assessed high end cost for the risk	Negative press coverage and/or minor political pressure on university reputation on a local scale	Noticeably increases likelihood of injury to community members	Comparatively lower but not insignificant legal and/or regulatory compliance action against the university or business
Low	The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect might result in: Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced Minor damage to organizational assets Minor financial loss Minor harm to individuals	Direct or indirect monetary costs to the university to which business unit/school can solely pay the assessed high end of the cost for the risk	Nominal impact and/or negligible political pressure on university reputation on a local scale	Nominal impact on safety of campus community members	No or insignificant legal and/or regulatory compliance action against the university or business

Level

Description

Financial

Reputation

Safety

Legal

High

The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

A severe or catastrophic adverse effect might result in:

Severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions
Major damage to organizational assets
Major financial loss
Severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries

Direct or indirect monetary costs to the university to which liability must be transferred to an organization that is external to the campus, as the university is unable to incur the assessed high end of the cost for the risk

Negative press coverage and/or major political pressure on university reputation on a national or international scale

Places campus community members at imminent risk for injury

Significant legal and/or regulatory compliance action against the university or business

Moderate

The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

A serious adverse effect might result in:

Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced
Significant remediation cost to the university

Direct or indirect monetary costs to which liability is transferred to the campus as the business unit/school is unable pay the assessed high end cost for the risk

Negative press coverage and/or minor political pressure on university reputation on a local scale

Noticeably increases likelihood of injury to community members

Comparatively lower but not insignificant legal and/or regulatory compliance action against the university or business

Low

The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

A limited adverse effect might result in:

Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
Minor damage to organizational assets
Minor financial loss
Minor harm to individuals

Direct or indirect monetary costs to the university to which business unit/school can solely pay the assessed high end of the cost for the risk

Nominal impact and/or negligible political pressure on university reputation on a local scale

Nominal impact on safety of campus community members

No or insignificant legal and/or regulatory compliance action against the university or business

NOTE: The descriptions are provided only as guides and should not be considered without the context of the broader environment. While making the impact determinations, it is important to realize that the value of an information type may change during its life cycle. So, information subtypes may include the relevant statements. For example, consider the case of contracts as an information type. The sub types could be Contracts-initial discussion, Contracts-finalized, Contracts-terminated and all these subtypes may have different impact levels for the security categories.

THE UNIVERSITY OF COLORADO SYSTEM

Popular Searches

CU System Departments

About Adverse Impact

Office of Information Security