Skip to main content
University of Nebraska System logo

Data Risk Classifications

The University of Nebraska is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity and availability of information important to the University's mission. With the adoption of Executive Memorandum No. 42, Policy on Risk Classification and Minimum Security Standards, data classifications have been established and are now in effect for University of Nebraska data and systems. All data can be classified as one of the following: High Risk, Medium Risk, Low Risk, or Research.  This page is intended to be a summary or quick reference for those seeking guidance about Executive Memorandum No. 42 and storing and/or processing data.

High Risk Data

Institutional data that is highly confidential and covered by international, state, or federal privacy laws; data where the loss of confidentiality, integrity, or availability of the data or system could have a SEVERE adverse impact on our mission, safety, finances, or reputation; or is subject to international, federal, or state privacy or breach reporting laws. 

Data is considered high risk if:

  • The data is highly confidential, and protection of the data is required by law/regulation; or,
  • The University is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed; or,
  • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Medium Risk Data

Institutional data is data requiring high levels of protection due to the following circumstances:

  • Protection of the data is required by law/regulation; or,
  • Data received or collected is subject to contractual confidentiality provisions; or,
  • The data carries a security classification established by an authorized agency of the federal government; or,
  • The loss of confidentiality, integrity, or availability of the data or system could have a negative impact on our mission, finances, or reputation.

Low Risk Data

Institutional data routinely used in conducting business not covered by international, state, or federal privacy and security laws. Generally, this is information that can be made available to the public without risk of harm to the University or any entities with an affiliation to the University.

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  • The data is intended for public disclosure; or
  • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Research Data

Institutional research data that is highly confidential and covered by international, state, or federal privacy laws. Data where the loss of confidentiality, integrity, or availability of the data or system could have a SEVERE adverse impact on our mission, safety, finances, or reputation, or is subject to international, federal, or state privacy or breach reporting laws. 

Data Risk Classification Examples

Use the examples below to determine which risk classification is appropriate for a particular type of institutional data. As always, you can reach out to the ITS Security Team for assistance with classifying institutional data. When mixed institutional data falls into multiple risk categories, use the highest risk classification across all.

High Risk Data

  • Health Information, including Protected Health Information (PHI) or HIPAA data
  • Social Security Numbers
  • International Tax ID Number
  • Dependent verification documents
  • Credit card numbers
  • Financial account numbers (bank accounts)
  • Export controlled information
  • Driver's license numbers
  • Passport and visa numbers
  • Donor contact information and non-public gift information

Medium Risk Data

  • Unpublished research data (at data owner's discretion)
  • Student records and admission applications
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
  • Non-public University policies and policy manuals
  • Non-public contracts
  • University internal memos and email, non-public reports, budgets, plans, financial info
  • University and employee ID numbers
  • Project/Task/Award (PTA) numbers
  • Engineering, design, and operational information regarding University of Nebraska infrastructure
  • Audit records or Event Logs

Low Risk Data

  • Research data (at data owner's discretion)
  • NUIDs
  • Information authorized to be available on or through a University website without authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University contact information not designated by the individual as "private" in TrueYou
  • Information in the public domain
  • Publicly available campus maps

Research Data

  • DoD Research Data requiring CMMC level 3
  • Controlled Unclassified Information (CUI https://www.archives.gov/cui/registry/category-list)
  • ITAR Research Data
  • DFARS Research Data

Data Risk Classification Self Assessment

Coming Soon! A self-assessment tool to determine what Risk Level data operates in.

Please contact the ITS Security Team with any questions.

Resource Use by Data Risk Classification

This table indicates which classifications of institutional data are generally allowed to be stored and/or processed on commonly used IT resources at the University. Some resources for specific institutional data use cases and with the application of additional security controls may be granted exceptions for higher data classifications. Contact the ITS Security Team for more information about the exception process.

Resource

Low Risk Data

Medium Risk Data

High Risk Data(i)

Research Data

O365 GCC High Level 3

N/A

N/A

N/A

YES

ITS Data Center and ITS Managed

YES

YES

YES

NO

Distributed Data Center and ITS Managed

YES

YES

NO

NO

Non-Enterprise SaaS Providers

YES

YES(a)

NO

NO

ITS Managed PC/Device

YES

YES

NO

NO

Non-Managed PC/Device

YES

NO

NO

NO

Removable Media

YES

NO

NO

NO

Personal Device (PC/Device)

NO

NO

NO

NO

Box

YES

YES

YES(b)

NO

Docusign

YES

YES

YES

NO

OneDrive

YES

YES

MAYBE

NO

Canvas

YES

YES

NO

NO

SharePoint

YES

YES

NO

NO

NEBIS (Firefly/SAP)

YES

YES

YES

NO

NESIS (Peoplesoft SIS)

YES

YES

YES

NO


(a)When acquired thru Procurement Services and all recommendations in vendor security risk assessment followed.

(b)When in the "High Risk Data or Research Data" instance.

(i)HIPAA data transmission, processing, or storage requires a HIPAA BAA be in place with service provider.

COOKIE USAGE:

The University of Nebraska System uses cookies to give you the best online experience. By clicking "I Agree" and/or continuing to use this website without adjusting your browser settings, you accept the use of cookies.

PRIVACY SETTINGS