Risk Classifications

Brown has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. It is the data and service owner’s responsibility to ensure appropriate security measures are taken depending on the risk classification. If you have any questions or need help, please reach out to the Information Security Group (isg@brown.edu).

Level I Risk

Data and systems are classified as Level I Risk if they are not considered to be Level II or III, and:

  • The data is intended for public disclosure, or
  • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Level II Risk

Data and systems are classified as Level II Risk if they are not considered to be Level III, and:

  • The data is not generally available to the public, or
  • The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

Level III Risk

Data and systems are classified as Level III Risk if:

  • Protection of the data is required by law/regulation, or
  • Brown is required to self-report to the government and/or provide notice to individuals if the data is inappropriately accessed, or
  • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
  • They pose a potential risk to life.

Risk Classification Examples

Use the examples below to guide the determination of which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.

Level I Risk

  • Research data (at data owner's discretion)
  • Brown email address
  • Information authorized to be available on or through Brown’s website without Shibboleth authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University contact information not designated by the individual as "private" in the online Directory
  • Information in the public domain
  • Publicly available campus maps

Level II Risk

  • Brown username
  • Unpublished research data (at data owner's discretion)
  • Student data classified under FERPA as directory information
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
  • Export Administration Regulations (EAR) controlled technical data subject to a Brown-issued control plan
  • Nonpublic Brown policies and policy manuals
  • Nonpublic contracts
  • Brown internal memos and email, nonpublic reports, budgets, plans, financial info
  • University and employee ID numbers
  • Project/Task/Award numbers
  • Engineering, design, and operational information regarding Brown’s infrastructure

Level III Risk

  • Health Information, including Protected Health Information (PHI)
  • Health Insurance policy ID numbers
  • Social Security Numbers
  • Credit card numbers
  • Financial account numbers
  • International Traffic in Arms Regulations (ITAR) controlled technical data
  • Government Furnished Information (GFI)
  • Covered Defense Information (CDI)
  • Controlled Unclassified Information (CUI)
  • Student data protected under FERPA, classified as non-directory information
  • Driver's license numbers
  • Passport and visa numbers
  • Donor contact information and nonpublic gift information
  • Lab monitoring equipment which, if it were to fail, would pose a potential risk to life

Questions or comments to: ITPolicy@brown.edu

Effective Date: November, 2017
Next Scheduled Review: November, 2018