Office of Information Technology
Effective Date November 1, 2017
All OIT Policies

Data Risk Classifications

Policies

Brown has classified its information assets into one of four risk-based categories (None, Level 1, Level 2, or Level 3) for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. It is the data and service owner’s responsibility to ensure appropriate security measures are taken depending on the risk classification.

If you have any questions or need help, please reach out to the Information Security Group (isg@brown.edu).

Level 1 Data and systems are classified as Level 1 if they are not considered to be Level 2 or 3, and:
  • The data is intended for public disclosure, or
  • The loss of confidentiality, integrity, or availability of the data or system has:
    • No impact on Brown’s mission and at most a minimal risk to reputation,
    • No impact on Brown’s finances,
    • No risk to the security of other systems protecting data,
    • No risk to life safety.
Level 2 Data and systems are classified as Level 2 if they are not considered to be Level 3, and:
  • The data is not generally available to the public, or
  • The loss of confidentiality, integrity, or availability of the data or system has:
    • No impact on Brown’s mission and potentially a moderate risk to reputation,
    • At most a mild impact on Brown’s finances,
    • At most a mild risk to the security of other systems protecting data,
    • No risk to life safety.
Level 3 Data and systems are classified as Level 3 if:
  • Protection of the data is required by law/regulation, or
  • Brown is required to self-report to the government and/or provide notice if the data is inappropriately accessed, or
  • The loss of confidentiality, integrity, or availability of the data or system has:
    • A potential impact on Brown’s mission or significant risk to reputation,
    • A potential significant impact on Brown’s finances,
    • A potential significant risk to the security of other systems protection data,
    • A potential risk to life safety.
None Applications are classified as None if they do not inherently store data and:
  • The underlying data is stored on a Brown endpoint or server, and
  • The application requires human interaction, can not run autonomously, and
  • Security is managed by the endpoint or server, which must implement the minimum security standards appropriate for the Level of data being protected.

Data Risk Classification Examples

Use the examples below to guide the determination of which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.

  • De-identified research data NOT sourced from Protected Health Information (PHI)
  • Anonymous research data
  • Brown email address
  • Brown mailing address
  • Workday ID
  • Banner ID
  • Student data classified under FERPA as directory information
  • Information authorized to be available on or through a Brown website without authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University contact information not designated by the individual as "private" in the online Directory
  • Information that is publicly known or generally available
  • Publicly available campus maps
  • IP addresses
  • De-identified research data sourced from Protected Health Information (PHI)
  • Limited Dataset
  • Personally Identifiable Information (PII) collected for research
  • Brown username
  • Brown ID
  • Course Membership
  • Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
  • Export Administration Regulations (EAR) controlled technical data subject to a Brown-issued control plan
  • Non-public Brown policies and policy manuals
  • Non-public contracts
  • Brown internal memos and email, non-public reports, budgets, plans, financial info
  • University and employee ID numbers
  • Project/Task/Award numbers
  • Engineering, design, and operational information regarding Brown’s infrastructure
  • Identifiable Protected Health Information (PHI)
  • Personally Identifiable Information (PII) collected for research that meets the following criteria: Information that has the potential to cause significant damage to an individual’s reputation, employability, financial standing, educational advancement, or place them at risk for criminal or civil liability.
  • International Traffic in Arms Regulations (ITAR) controlled technical data
  • Government Furnished Information (GFI)
  • Covered Defense Information (CDI)
  • Controlled Unclassified Information (CUI)
  • Student data protected under FERPA
  • Data regulated under Payment Card Industry Data Security Standards (PCI DSS)
  • Any combination of information likely to result in identity theft, including, but not limited to:
    • Social Security Number
    • Driver's license number
    • Passport or visa number
    • Mother’s maiden name
    • Date of Birth
  • Financial account identifiers (e.g., external bank or investment account numbers)
  • Donor contact information and non-public gift information
  • Lab monitoring equipment which, if it were to fail, would pose a potential risk to life
  • Desktop software, i.e. Microsoft Word, FileZilla, web browsers
  • Software for operating scientific equipment

Note: Protected Health Information (PHI) is health-related data containing any HIPAA identifiers (see identifiers under "Safe Harbor" section). 

Desktop, Laptop, Mobile and Other Endpoint Devices Risk Classification and Standards

An endpoint is any device, not classified as a server, regardless of ownership, that has been used to store, access, or transmit Brown data. These devices are most often directly accessed by users and include, but are not limited to desktops, laptops, mobile phones, and tablets, whether purchased by Brown or personally.

The risk classification of endpoints is determined by accessing the most sensitive data either stored or transmitted by an endpoint. If only Level 1 data is stored or transmitted by an endpoint, then it is classified as Level 1. If both Level 2 and Level 3 data is stored or transmitted by an endpoint, then it is classified as Level 3. Based on the risk classification of the endpoints, they are subject to the Minimum Security Standards for Desktop, Laptop, Mobile and Other Endpoint Devices 🔒.

Server Risk Classification and Standards

A server is a computer program or device that provides dedicated functionality to clients. They are normally managed by professional information technology (IT) practitioners. In most cases, clients are Endpoints, but may be other servers.

The risk classification of a server is determined by accessing the most sensitive data either stored or transmitted by a server. If only Level 1 data is stored or transmitted by a server, then the server is classified as Level 1. If both Level 2 and Level 3 data is stored or transmitted by a server, then the server is classified as Level 3. Based on the risk classification of the server, they are subject to Minimum Security Standards for Servers 🔒.

Questions or comments to: ITPolicy@brown.edu

Last Revision Date: March 25, 2022