Data and systems are classified as Level 1 if they are not considered to be Level 2 or 3, and:

• The data is intended for public disclosure, or
• The loss of confidentiality, integrity, or availability of the data or system has:
  • No impact on Brown’s mission and at most a minimal risk to reputation,
  • No impact on Brown’s finances,
  • No risk to the security of other systems protecting data,
  • No risk to life safety.

Data and systems are classified as Level 2 if they are not considered to be Level 3, and:

• The data is not generally available to the public, or
• The loss of confidentiality, integrity, or availability of the data or system has:
  • No impact on Brown’s mission and potentially a moderate risk to reputation,
  • At most a mild impact on Brown’s finances,
  • At most a mild risk to the security of other systems protecting data,
  • No risk to life safety.

Data and systems are classified as Level 3 if:

• Protection of the data is required by law/regulation, or
• Brown is required to self-report to the government and/or provide notice if the data is inappropriately accessed, or
• The loss of confidentiality, integrity, or availability of the data or system has:
  • A potential impact on Brown’s mission or significant risk to reputation,
  • A potential significant impact on Brown’s finances,
  • A potential significant risk to the security of other systems protection data,
  • A potential risk to life safety.

• De-identified research data NOT sourced from Protected Health Information (PHI)
• Anonymous research data
• Brown email address
• Brown mailing address
• Workday ID
• Student data classified under FERPA as directory information
• Information authorized to be available on or through a Brown website without authentication
• Policy and procedure manuals designated by the owner as public
• Job postings
• University contact information not designated by the individual as "private" in the online Directory
• Information that is publicly known or generally available
• Publicly available campus maps
• IP addresses

• De-identified research data sourced from Protected Health Information (PHI)
• Limited Dataset
• Personally Identifiable Information (PII) collected for research
• Brown username
• Brown ID
• Course Membership
• Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
• Export Administration Regulations (EAR) controlled technical data subject to a Brown-issued control plan
• Non-public Brown policies and policy manuals
• Non-public contracts
• Brown internal memos and email, non-public reports, budgets, plans, financial info
• University and employee ID numbers
• Project/Task/Award numbers
• Engineering, design, and operational information regarding Brown’s infrastructure

• Identifiable Protected Health Information (PHI)
• Personally Identifiable Information (PII) collected for research that meets the following criteria: Information that has the potential to cause significant damage to an individual’s reputation, employability, financial standing, educational advancement, or place them at risk for criminal or civil liability.
• Banner ID
• International Traffic in Arms Regulations (ITAR) controlled technical data
• Government Furnished Information (GFI)
• Covered Defense Information (CDI)
• Controlled Unclassified Information (CUI)
• Student data protected under FERPA
• Data regulated under Payment Card Industry Data Security Standards (PCI DSS)
• Any combination of information likely to result in identity theft, including, but not limited to:
  • Social Security Number
  • Driver's license number
  • Passport or visa number
  • Mother’s maiden name
  • Date of Birth
• Financial account identifiers (e.g., external bank or investment account numbers)
• Donor contact information and non-public gift information
• Lab monitoring equipment which, if it were to fail, would pose a potential risk to life