Data Risk Categorizations

WVSOM has a very low tolerance for risks that arise from inappropriate or unauthorized use and/or release of sensitive data (i.e. PII, FERPA, HIPAA, COPPA). Data elements may be maintained and archived in the pursuit of regular financial business operations, academic research, student communications, or other developed intellectual property for WVSOM. The WVSOM IT Department, as part of the Information Security Plan, requires our end-user community to report any suspected data breach through our incident reporting process within our service request system (Team Dynamix). As stated in institutional policy GA-31 Acceptable Use of IT Resources, WVSOM affiliated individuals, are expected to comply with data protection governed by Federal and State laws concerning collection, use, and disclosure of certain information. The WVSOM GLBA working group will identify annually, any changes to data that they are collecting and maintaining, while also reaffirming the proper retention and disposal requirements under institutional policy GA-11 Record Retention. The annual identification of the data will define its’ risk categorization as public-low sensitivity, private-moderate sensitivity, or restricted-high level sensitivity combined with the location of the data, data type (faculty, staff, student, other), and information type (Administrative, PII, FERPA, HIPAA, COPPA).

WVSOM has categorized its data and information systems into risk levels of sensitivity for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.

Accurate categorization provides the basis to apply an appropriate level of security to institutional data. These categorizations take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth.

Data Categorization Standard

Public

Low level of sensitivity

Public data categorization is not considered confidential, and may be granted to a requestor and made accessible to the public and represents the lowest risk. Any loss of availability, integrity, and confidentiality would not be detrimental to the finances, safety, reputation or mission of WVSOM. However, the integrity of public data must be protected and maintained, with the owner of the data giving the appropriate authorization to replicate the data.

Private

Internal Data, moderate level of sensitivity

The private data categorization is WVSOM proprietary in nature and may have other privacy and ethical considerations, but not necessarily a direct compliance requirement (statutory, regulatory or legal) requiring protection and presents moderate risk. The loss of availability, integrity and confidentiality could have a mild impact to the finances, safety, reputation or mission of WVSOM. The private data categorization should be reserved for WVSOM personnel who have a job function related to its relevancy and business purpose for accessing it.

Restricted

Confidential, highest level of sensitivity

The restricted data categorization is applied to the most confidential data elements that are protected by statues, policies and regulations (FERPA, HIPAA, PCI DSS) and presents the highest risk. It may include data that isn’t under legal statute, but data which the WVSOM data administrators and owners have deemed to have restricted access. The loss of availability, integrity, and confidentiality could have a substantial, negative impact to WVSOM and its finances, safety, reputation or mission.

database symbol with key

Data Risk Categorization Examples

Use the examples below to determine which data categorization standard is appropriate for a particular type of data. When mixed data falls into multiple categories or has multiple levels of sensitivity, use the categorization with the highest sensitivity level across all.

Public

  • Information authorized to be available on or through WVSOM’s Public websites
  • Policy and procedure manuals designated by Legal and the owner as public
  • Job postings
  • Board of Governors Schedule, Agendas and Approved Minutes
  • Departmental Information intended for public review
  • WVSOM Virtual Campus Tour
  • Basic Curriculum information
  • Non-personal contact information for Departments

Private

  • Non-public WVSOM Institutional or Departmental policies, procedures, and policy manuals
  • Non-public contracts
  • Operational Infrastructure information
  • WVSOM internal memos and email, non-public reports, budgets, plans, financial info
  • Basic personnel data such as hire & separation dates, faculty rank and tenure, workers compensation, job application materials
  • Account Receivable Invoicing
  • Engineering, design, and operational information regarding WVSOM infrastructure
  • WVSOM Institutional survey data

Restricted

  • Personally Identifiable Information (PII)

    • First Name, Last Name associated with any of the following data:
    • Social Security Number (all forms)
    • Drivers Licenses Number and Personal vehicle information
    • Passport and Visa Number
    • Account passwords or personal identification number (employee/student id, pin #) or access codes when used with First/Last name
    • Place/Date of birth
    • Mother’s maiden name associated with an individual
    • Any biometric record of an individual (fingerprint, DNA, Iris/Retina scan)

  • Protected Health Information

    • Human Resources medical monitoring files
    • Employee medical file and medically related leave information

  • Health Insurance Benefit Information

    • Health Insurance policy #
    • Family information on all medical, SSN, PII

  • Student data

    • Student records, application, payment data
    • Financial Aid data

  • Other WVSOM data identified as confidential

    • Alumni non-public gift and donor information
    • Evaluations and Performance improvement plans
    • Employee grievance files
    • W9s, 1099s
    • Bid documentation until contract awards
    • Export control information

computer software icon

Application Risk Categorization Examples

An application is defined as software running on a server that is network accessible or installed on a local machine.

Public

  • Applications handling Low Sensitivity Level Data
  • Online WVSOM Campus maps
  • WVSOM Institutional online catalog displaying academic course descriptions
  • Application for Standardized Patient Program
  • Public portion of WVSOM Institutional Dashboard
  • MSPE Request Form

Private

  • Applications handling Moderate Sensitivity Level Data
  • Human Resources application that stores salary information
  • WVSOM directory containing employee phone numbers, email addresses, and titles
  • WVSOM Alert application that distributes information in the event of a campus emergency
  • Online application for student admissions
  • Committee Minutes
  • Rotation Schedule
  • Training Materials for software
  • Manipulation in Motion

Restricted

  • Applications handling High Sensitivity Level Data
  • Human Resources application that stores employee SSNs
  • Application collecting personal information of donor, alumnus, or other individuals
  • Application that processes credit card payments
  • Faculty Staff Professional Behavior reporting
  • Incident Reporting
  • emedley
  • Grant Time and Effort
  • Banner Document Management
  • Banner Administrative Pages (HR/Finance/Enrollment/Grades/Fixed Assets/AP/AR/Student/Applicant/Financial Aid)
  • Banner Self Service (Financial Aid, Transcript, Bill/Payments)

database symbol with key

Server Risk Categorization Examples

A server is defined as a host that provides a network accessible service.

Public

  • Servers used for research computing purposes without involving Moderate or High Sensitivity Level Data
  • File server used to store published public data, records, and documentation

Private

  • Servers handling Moderate Sensitivity Level Data
  • File server containing non-public documentation and records
  • Test servers for developing new applications

Restricted

  • Servers handling High Sensitivity Level Data
  • Servers managing access to High Sensitivity Level systems
  • WVSOM email systems
  • Server storing student, employee, and applicant records
  • Core WVSOM Institutional infrastructure

WVSOM Information Technology Department has put together a list of approved services  and associated categories (login required).