policies & standards

Access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships. Examples include:

• Payment Card Industry Data Security Standard (PCI-DSS) Data
• Data subject to Federal Information Security Management Act (FISMA) moderate or high standards

Quick Guide

Unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm. Compliance requirements are not as strict as for Restricted Information. Examples include:

• Personally Identifiable Information (PII) as defined in Privacy Policy AD53
• Health Insurance Portability and Accountability Act (HIPAA) data

Quick Guide

Unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include but are not limited to social, psychological, reputational, financial, or legal harm. Examples include:

• Non-PII student records
• Personnel records

Quick Guide

Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public data. Examples include:

• Data made freely available by public sources
• Published data
• Educational data
• Initial and intermediate Research Data

Quick Guide If your unit processes or stores High or Restricted information, you must have an Authority to Operate (ATO).