Brown has classified its information assets into one of four risk-based categories (None, Level 1, Level 2, or Level 3) for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. It is the data and service owner’s responsibility to ensure appropriate security measures are taken depending on the risk classification.
If you have any questions or need help, please reach out to the Information Security Group (isg@brown.edu).
Level 1
Data and systems are classified as Level 1 if they are not considered to be Level 2 or 3, and:
The data is intended for public disclosure, or
The loss of confidentiality, integrity, or availability of the data or system has:
No impact on Brown’s mission and at most a minimal risk to reputation,
No impact on Brown’s finances,
No risk to the security of other systems protecting data,
No risk to life safety.
Level 2
Data and systems are classified as Level 2 if they are not considered to be Level 3, and:
The data is not generally available to the public, or
The loss of confidentiality, integrity, or availability of the data or system has:
No impact on Brown’s mission and potentially a moderate risk to reputation,
At most a mild impact on Brown’s finances,
At most a mild risk to the security of other systems protecting data,
No risk to life safety.
Level 3
Data and systems are classified as Level 3 if:
Protection of the data is required by law/regulation, or
Brown is required to self-report to the government and/or provide notice if the data is inappropriately accessed, or
The loss of confidentiality, integrity, or availability of the data or system has:
A potential impact on Brown’s mission or significant risk to reputation,
A potential significant impact on Brown’s finances,
A potential significant risk to the security of other systems protection data,
A potential risk to life safety.
None
Applications are classified as None if they do not inherently store data and:
The underlying data is stored on a Brown endpoint or server, and
The application requires human interaction, can not run autonomously, and
Security is managed by the endpoint or server, which must implement the minimum security standards appropriate for the Level of data being protected.
Data Risk Classification Examples
Use the examples below to guide the determination of which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.
Personally Identifiable Information (PII) collected for research that meets the following criteria: Information that has the potential to cause significant damage to an individual’s reputation, employability, financial standing, educational advancement, or place them at risk for criminal or civil liability.
International Traffic in Arms Regulations (ITAR) controlled technical data
Government Furnished Information (GFI)
Covered Defense Information (CDI)
Controlled Unclassified Information (CUI)
Student data protected under FERPA
Data regulated under Payment Card Industry Data Security Standards (PCI DSS)
Any combination of information likely to result in identity theft, including, but not limited to:
Social Security Number
Driver's license number
Passport or visa number
Mother’s maiden name
Date of Birth
Financial account identifiers (e.g., external bank or investment account numbers)
Donor contact information and non-public gift information
Lab monitoring equipment which, if it were to fail, would pose a potential risk to life
Desktop software, i.e. Microsoft Word, FileZilla, web browsers
Desktop, Laptop, Mobile and Other Endpoint Devices Risk Classification and Standards
An endpoint is any device, not classified as a server, regardless of ownership, that has been used to store, access, or transmit Brown data. These devices are most often directly accessed by users and include, but are not limited to desktops, laptops, mobile phones, and tablets, whether purchased by Brown or personally.
The risk classification of endpoints is determined by accessing the most sensitive data either stored or transmitted by an endpoint. If only Level 1 data is stored or transmitted by an endpoint, then it is classified as Level 1. If both Level 2 and Level 3 data is stored or transmitted by an endpoint, then it is classified as Level 3. Based on the risk classification of the endpoints, they are subject to the Minimum Security Standards for Desktop, Laptop, Mobile and Other Endpoint Devices 🔒.
Server Risk Classification and Standards
A server is a computer program or device that provides dedicated functionality to clients. They are normally managed by professional information technology (IT) practitioners. In most cases, clients are Endpoints, but may be other servers.
The risk classification of a server is determined by accessing the most sensitive data either stored or transmitted by a server. If only Level 1 data is stored or transmitted by a server, then the server is classified as Level 1. If both Level 2 and Level 3 data is stored or transmitted by a server, then the server is classified as Level 3. Based on the risk classification of the server, they are subject to Minimum Security Standards for Servers 🔒.