Data Classification Matrix

The University of Pittsburgh takes seriously its commitment to protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University's academic and research mission. For that reason, we classify our information assets into risk categories (high, moderate, low) for the purpose of determining who is allowed to access the information and what minimum security precautions must be taken to protect it against unauthorized access.

Note: All systems that transmits, process, or store data classified as high risk should be assessed by the CSSD Security team. Please contact the Help Desk with any questions about appropriate protection of information.

Risk

High Risk

Moderate Risk

Low Risk

Description

Protection of the data is required by law/regulation, or
The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

The data is not generally available to the public, or
The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

The data is intended for public disclosure, or
The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Data Examples

Social Security Number
Date of Birth
Driver's License/State ID Number
Bank/Financial Account Number
Credit/Debit Card Number
Visa/Passport Number
Electronic Protected Health Information (ePHI)
Export controlled information under U.S. laws
Donor contact information and non-public gift information

Student records and admission applications
Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
Non-public policies, manuals, and contracts
Internal memos and email, non-public reports, budgets, plans, financial info
University and employee ID numbers
Engineering, design, and operational information regarding infrastructure

Directory Information
Policy and procedure manuals designated by the owner as public
Job postings
Information in the public domain

Human Subject Research Data Examples

Identifiable sensitive human subject data*

Identifiable non-sensitive human subject data *

De-identified sensitive human subject data*

Anonymous human subject data

De-identified non-sensitive human subject data*

Storage, Transmission, and Collaboration

Storage of high risk data is prohibited on computing equipment unless registered with and approved by CSSD. 
Encryption in transit and at rest is required.
Legal, ethical, or other constraints prevent access without specific authorization.

Medium risk data may be stored on departmental, CSSD hosted, or approved cloud-based systems. 
Encryption in transit is required.
May be accessed by Pitt affiliates and non-employees with appropriate authorization.

Low risk data may be stored on departmental, CSSD hosted, or approved cloud-based systems. 
Encryption in transit is not required, but is recommended.
No specific access restrictions.

*Sensitive human subject research data is defined as any data whose disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation.

Tags: Data Security