Data Risk Classification Policy Appendices

On This Page

FIPS 199 Security Categorization Definitions

Security Objective Low Medium High
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information

non-repudiation and authenticity.

[44 U.S.C., SEC. 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

Ensuring timely and reliable access to and use of information.

[44 U.S.C., SEC. 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Security Standard Crosswalks

CUI Security Requirements NIST SP 800-53
Relevant Security Controls
ISO./IEC 27001
Relevant Security Controls
3.11 RISK ASSESSMENT
Basic Security Controls
3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
RA-3 Risk Assessment A.12.6.1 Management of technical vulnerabilities
Derived Security Controls
3.11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified
RA-5 Vulnerability scanning A12.6.1 Management of technical vulnerabilities
RA5(5) Vulnerability scanning - Privileged Access No direct mapping
3.11.3 Remediate vulnerabilities in accordance with assessments of risk.
RA-5 Vulnerability scanning A12.6.1 Management of technical vulnerabilities
Source: National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, Table D-11: Mapping Risk Assessment Requirements to Security Controls

NIST Special Publication 800-53 (Rev. 4)  
Security Controls and Assessment Procedures for Federal Information Systems and Organizations

Family: RA-3 Risk Assessment
Priority: P1 - Implement P1 security controls first
Baseline Allocation
Low: RA-3
Moderate: RA-3
High: RA-3

HIPAA Security Rule Crosswalk to NIST Cybersecurity

Category: Asset Management (ID.AM)

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

Subcategory: ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value

Relevant Control Mappings

  • COBIT 5 APO03.03, APO03.04, BAI09.02
  • ISA 62443-2-1:2009 4.2.3.6
  • ISO/IEC 27001:2013 A.8.2.1
  • NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
  • HIPAA Security Rule 45 C.F.R. § 164.308(a)(7)(ii)(E )

Data Risk Classification Examples

Risk Classifications

The University has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.

Low Risk

  • Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:
  • The data is intended for public disclosure, or
  • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Moderate Risk

  • Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:
  • The data is not generally available to the public, or
  • The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

High Risk

  • Data and systems are classified as High Risk if:
    • Protection of the data is required by law/regulation,
    • University is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
    • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Data Risk Classification Examples

Use the examples below to determine which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.

Low Risk

  • Research data (at data owner's discretion)
  • SUNet IDs
  • Information authorized to be available on or through University's website without SUNet ID authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University contact information not designated by the individual as "private" in University
  • Information in the public domain
  • Publicly available campus maps

Moderate Risk

  • Unpublished research data (at data owner's discretion)
  • Student records and admission applications
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
  • Non-public University policies and policy manuals
  • Non-public contracts
  • University internal memos and email, non-public reports, budgets, plans, financial info
  • University and employee ID numbers
  • Project/Task/Award (PTA) numbers
  • Engineering, design, and operational information regarding University infrastructure

High Risk

  • Health Information, including Protected Health Information (PHI)
  • Health Insurance policy ID numbers
  • Social Security Numbers
  • Credit card numbers
  • Financial account numbers
  • Export controlled information under U.S. laws
  • Driver's license numbers
  • Passport and visa numbers
  • Donor contact information and non-public gift information

Server Risk Classification

A server is defined as a host that provides a network accessible service.

Low Risk

  • Servers used for research computing purposes without involving Moderate or High Risk Data
  • File server used to store published public data
  • Database server containing SUNet IDs only

Moderate Risk

  • Servers handling Moderate Risk Data
  • Database of non-public University contracts
  • File server containing non-public procedures/documentation
  • Server storing student records

High Risk

  • Servers handling High Risk Data
  • Servers managing access to other systems
  • University IT and departmental email systems
  • Active Directory
  • DNS

Application Risk Classification

An application is defined as software running on a server that is network accessible.

Low Risk

  • Applications handling Low Risk Data
  • Online maps
  • University online catalog displaying academic course descriptions
  • Bus schedules

Moderate Risk

  • Applications handling Moderate Risk Data
  • Human Resources application that stores salary information
  • Directory containing phone numbers, email addresses, and titles
  • University application that distributes information in the event of a campus emergency
  • Online application for student admissions

High Risk

  • Applications handling High Risk Data
  • Human Resources application that stores employee SSNs
  • Application that stores campus network node information
  • Application collecting personal information of donor, alumnus, or other individual
  • Application that processes credit card payments

References

Federal Information Processing Standards (FIPS) References

National Institute of Standards and Technology (NIST) References