March 1, 2019
It was determined that the previous Data Classification Table and Reference for Data and System Classification contained much of the same information, were unwieldy, and that a single policy would provide essential and increased information while incorporating necessary data-centric information about the General Data Protection Regulation. As a result, for convenience and clarification, information in the Table and Reference was updated, combined into one document, and re-issued as the below Electronic Data and System Risk Classification Policy.
Note that the changes reflected in the Electronic Data and System Risk Classification Policy below require modifications in other currently posted policies, especially the security policies. Those changes are underway; NYU community members are encouraged to check the Information Technology Policies and Guidelines website periodically for updates.
New York University is committed to safeguarding the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information and systems that are important to the University’s mission. This policy is the authoritative source of information on data and systems risk classification at NYU.
This policy provides a framework for safeguarding NYU’s information assets, i.e., its information technology systems and the data in its possession. NYU has classified its information assets into risk-based categories for the purpose of determining who is allowed to access and use those assets and what security precautions must be taken to safeguard those assets against unauthorized access. Risk is considered loss of confidentiality, integrity, or availability. This policy should be read in conjunction with the Data and System Security Measures policy, which sets forth the specific security measures that apply to each data and system classification.
This policy establishes the following risk classifications for NYU data: Low Risk, Moderate Risk, and High Risk; and the following criticality classifications for NYU systems: Low Criticality, Moderate Criticality, and High Criticality. The classifications help to identify the level of safeguarding required for any specific type of data or system. While all data and systems must be safeguarded, more stringent measures are required as the level of risk or criticality increases.
The data and systems referred to in this policy must be properly safeguarded regardless of the location of the specific data and the systems on which they can be found. This risk classification, therefore, is applicable to a wide variety of IT resources which are connected to NYU-NET or are used for any NYU business purpose, including personally owned devices. A “system” is defined as any IT resource to which security safeguards may be applied.
Examples of systems include, but are not limited to:
All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations which must be managed, and each of them is considered a compliance object to be safeguarded.
A system may be classified at a higher criticality than is required by the classification below. If so, the system must meet the security measures for that higher criticality level.
Those responsible for classifying data and system risk may be individual system owners, system administrators, project managers, or data stewards/trustees. The entire NYU community (faculty, staff, students, contractors/consultants, alumni, vendors, and guests) who access University data and systems must consider how they are protecting University data and systems. Therefore, all must be aware of the sensitivity of the data they access and the resultant risk if that data is not properly safeguarded.
Three levels of data risk classification are outlined below which are based on the impact of an unauthorized access, disclosure or alteration of the data in question to individual community members and/or to NYU as an institution.
Risk classification of data takes into account the:
The classification of specific data is subject to change as the attributes of that data change (e.g., its elements, content, uses, importance, method of transmission, or regulatory context).
The data classifications are listed below with examples provided in the following section. The following rules should be applied when classifying data:
Low Risk | Moderate Risk | High Risk |
Data is classified as Low Risk if either of the following conditions apply:
|
Data is classified as Moderate Risk if any of the following conditions apply:
|
Data is classified as High Risk if either of the following conditions apply:
|
An “adverse impact” means (i) with respect to an individual, that the security or privacy of the data has been compromised with a probable increase in risk, and (ii) with respect to NYU, that the financial, legal, operational, and/or reputational risk is increased up to and including severe repercussions.
The following examples are intended to assist with determining which risk classification is appropriate for a particular type of data and are not meant to be an exclusive list of data that falls into each classification.
Note regarding Research Data: (1) Protected Data Related to Research - Research data which is guided by federal regulation or sponsor requirements: Depending on the subject matter and the data accessed, generated, and/or shared, there may be more stringent requirements, from the sponsor, the U.S. federal government, foreign governments, e.g., EU GDPR. Therefore, the data owner is advised to check with the OSP or the IRB (for human subject research). (2) Except for regulated data such as Protected Health Information (PHI), Social Security Numbers (SSNs), Controlled Unclassified Information (CUI), financial account numbers, and other protected data related to research and systems serving as repositories for these data types, research data predominately falls into the Low Risk classification. Review the classification definitions and examples below to determine the appropriate risk level to apply.
Low Risk | Moderate Risk | High Risk |
Data is classified as Low Risk if any of the following conditions apply:
|
Data is classified as Moderate Risk if any of the following conditions apply:
|
Data is classified as High Risk if any of the following conditions apply:
|
System Criticality is determined according to the following classifications. The following rules should be taken into account when classifying systems:
Low Criticality |
Moderate Criticality |
High Criticality |
A system should be classified as Low Criticality when it meets the following criterion:
|
A system should be classified as Moderate Criticality when it meets either of the following criteria:
|
A system should be classified as High Criticality when it meets either of the following criteria:
|
The following examples are intended to assist with determining which classification is appropriate for a particular type of system and are not meant to be an exclusive list of systems falling into each classification.
Low Criticality |
Moderate Criticality |
High Criticality |
A system should be classified as Low Criticality if any of the following conditions apply:
|
A system should be classified as Moderate Criticality if any of the following conditions apply:
|
A system should be classified as High Criticality if any of the following conditions apply:
|
Depending on the Classification Levels determined for Data and Systems, procedures for securing systems are outlined in:
AD: refers to Active Directory, originally developed for Windows domain networks that manage permissions and access to a network directory of services.
API: refers to Application Programming Interface, a data exchange system that receives requests and sends back responses.
CMS: refers to a content management system, such as WordPress.
HR: refers to NYU’s Human Resources systems.
IoT: refers to the Internet of Things, an expanding system of interrelated physical mechanical and digital computing devices, with unique identifiers (i.e., an IP address for internet connectivity) and able to communicate and transfer data over a network between these objects and other Internet-enabled devices and systems without requiring human-to-human or human-to-computer interaction.
IP: means Internet Protocol, a unique address assigned to all computing devices on a network for interface and location identification in order for them to communicate with other computing devices on that network.
IRB: stands for Institutional Review Board, any of the administrative bodies established to protect the rights and welfare of human research subjects recruited as participants in research activities conducted under the auspices of NYU. For example, the NYU School of Medicine has several IRBs and the University Committee on Activities Involving Human Subjects (UCAIHS) serves as NYU's IRB for the Washington Square units of the University.
LDAP: stands for Lightweight Directory Access Protocol, a software procedure for enabling location of organizations, individuals, and other resources such as files and devices whether a public Internet or organizational intranet, and can communicate with Active Directory.
Linux: general purpose free and open source operating system used across a large number of hardware platforms and devices.
Mac OS: refers to the Macintosh general purpose operating system developed, marketed, and sold by Apple Inc. for personal computers.
OSP: refers to the NYU Office of Sponsored Programs which provides information, assistance, and support concerning the research and sponsored programs enterprise at NYU.
SFTP: stands for Secure File Transfer Protocol server application and is a secure version of File Transfer Protocol (FTP), which facilitates data access and data transfer over a Secure Shell (SSH) data stream.
SSO: stands for Single Sign-on solution, a property of access control to ensure that only authorized users get access to sensitive data.
Unix: general purpose proprietary, licensed operating system with research, academic, and even commercial uses and a powerful model of modular software design.
Windows: refers to a group of several graphical general purpose operating systems for personal computers, developed, marketed, and sold by Microsoft.
Effective Date Supersedes Data Classification Table, Effective February 20, 2012; Reference for Data and System Classification, Effective December 2, 2010 Issuing Authority Executive Vice President; Vice President, Information Technology and Chief Information Officer Responsible Officer Vice President, Information Technology and Chief Information Officer