Data Classification

Low vs Moderate vs High Risk Data

Low Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  1. The data is intended for public disclosure, or
  2. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Moderate Risk

Data and systems are classified as Moderate Risk if:

  1. The data is not generally available to the public, or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

High Risk

Data and systems are classified as High Risk if:

  1. Protection of the data is required by law/regulation,
  2. CSUB is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
  3. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Levels of Data Classification

Infographic with headline "What type of data is it? Unsure what level of data you're working with? This at-a-glance chart can help". There are 3 levels of data with images of examples. Level 1 is Confidential and high risk, the images of examples are: Social Security Number, Passport, Drivers' License, Credit Card, Medical History, IRS/Tax information, Pins, Passwords, Biometrics, and signatures. The description for those examples is "Personal and tax ID, banking, HIPAA-protected records. Passwords, PINs, biometrics, or credentials that grant access to Level 1 and Level 2 data." Level 2 is Internal Use and moderate risk, the images of examples are: Home Address, Birthday, Photo, Email, Social Media, Phone Number, Grades, Race, Financial Information, and Gender. The description for those examples is "Birthdate, personal contact information, photo for ID purposes. Grades, test scores, personal identification and financial information." Level 3 is Public Use and low risk, the images of examples are: CSUB NetID, Policies, Public Directory, Job Postings, Campus Map, and academic calendar. The description for the examples is "NetIDs, policies, public directory, job postings, campus map, academic calendar".

Level I: Confidential information (High risk)

The following are considered Level I confidential information based on the significance of this information for the prevention of identity theft. Furthermore, as per the California Security Breach Information Act (SB 1386), any breach in the following information of any California resident that is unencrypted must be notified accordingly. SB 1386 defines a breach as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information."

  • Social Security Number paired with last and first name or first initial
  • Drivers license number or California identification card number paired with last and first name or first initial
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
  • Medical Information
  • Health insurance information
  • A username or email address in combination with a password or security question and answer that would permit access to an online account
  • Information or data collected through the use or operation of an automated license plate recognition system

Level II: Internal Use (Moderate risk)

The following Level II information should be "guarded" from access to unauthorized persons. This information is considered personal information and is regulated by various federal laws as well as CSU policy. Though this information does not require notification of breach, certain fines may apply if this information is mishandled. The guiding laws and policies for Level II information include FERPA, HIPPA, the Information Practices Act of 1977, California Public Record Act, and CSU policy HR 2003-05. All faculty and staff given access to the following information must complete and sign the CSUB Confidentiality Access and Compliance form. Student assistants given access to the following information must complete and sign the Confidentiality Agreement.

Students:

  • Any information in students' educational records that is not listed as non-confidential information.

Faculty and Staff:

  • Ethnicity
  • Gender
  • Home Address
  • Physical Description
  • Home Telephone Number
  • Medical History
  • Performance Evaluations

Level III: Public Use (low Risk)

The following information is considered "directory" information and may be disclosed without consent as per FERPA guidelines. However, FERPA recommends a procedure for students to opt-out of disclosing this information. Moreover, the University chooses to exceed FERPA's recommendation of confidentiality for student data.

Students

  • Name
  • Email Address


The following information is considered "directory" information and may be disclosed not withstanding any future regulatory restrictions. However, no directory information shall be distributed, sold, or transferred to in any fashion for the commercial purposes of the University, an employee of the University, or any other entity.

Faculty and Staff

  • Name
  • Office Address
  • Office Phone Number
  • Title / Position Name
  • Department Name
  • Honors and Awards
  • Email Address             

Electronic Media & Portable Devices

CSUB Information Security Policy
Date in Effect: November 2009
Policy Title: Electronic Media & Portable Devices
Reference(s): CSU Information Security Policy, 11.3 - Mobile Devices &
CSU System-Wide Information Security Standards, 12.4 - Data Storage

Electronic media such as CD's, DVD's, Flash Drives, etc. shall not be used for the storage or transport of Level 1 confidential data, as defined by the CSUB Information Security Policy, unless the data are encrypted or biometric security is employed at the device level. See more information here.

The use of portable devices such as laptops, PDA's, cell phones, etc. shall not be used for the storage or transport of Level 1 confidential data unless the data are encrypted. The University Information Security Officer may, on a case-by-case basis, approve an alternative to encryption of data as a means to protect information assets. Such approval shall be made in writing.

                           

Data Risk Classification Examples

Low Risk

  • Research data (at data owner's discretion)
  • CSUB Net IDs
  • Information authorized to be available on or through CSUB's website without CSUB Net ID authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University contact information not designated by the individual as "private" in MyCSUB
  • Information in the public domain
  • Publicly available campus maps

Moderate Risk

  • Unpublished research data (at data owner's discretion)
  • Student records and admission applications
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
  • Non-public CSUB policies and policy manuals
  • Non-public contracts
  • CSUB internal memos and email, non-public reports, budgets, plans, financial info
  • University and employee ID numbers
  • Project/Task/Award (PTA) numbers
  • Engineering, design, and operational information regarding CSUB infrastructure

High Risk

  • Health Information, including Protected Health Information (PHI)
  • Health Insurance policy ID numbers
  • Social Security Numbers
  • Credit card numbers
  • Financial account numbers
  • Export controlled information
  • Driver's license numbers
  • Passport and visa numbers
  • Donor contact information and non-public gift information

 

Server Risk Classification Examples

Low Risk

  • Servers used for research computing purposes without involving Moderate or High Risk Data
  • File server used to store published public data
  • Database server containing CSUB Net IDs only

Moderate Risk

  • Servers handling Moderate Risk Data
  • Database of non-public University contracts
  • File server containing non-public procedures/documentation
  • Server storing student records

High Risk

  • Servers handling High Risk Data
  • Servers managing access to High Risk systems
  • University IT and departmental email systems
  • Core campus infrastructure

 

Application Risk Classification Examples

Low Risk

  • Applications handling Low Risk Data
  • Online maps
  • University online catalog displaying academic course descriptions
  • Bus schedules

Moderate Risk

  • Applications handling Moderate Risk Data
  • Human Resources application that stores salary information
  • Directory containing phone numbers, email addresses, and titles
  • University application that distributes information in the event of a campus emergency
  • Online application for student admissions

High Risk

  • Applications handling High Risk Data
  • Human Resources application that stores employee SSNs
  • Application that stores campus network node information
  • Application collecting personal information of donor, alumnus, or other individual
  • Application that processes credit card payments

 

 

Office of Information Security

Main Office
InformationSecurity@csub.edu
(661) 654-3425

Doug Cornell
Information Security Officer
dcornell@csub.edu
(661) 654-3474
Office: LIB ITV2C

Return to Information Security Home