Risk Classification

Aamusted is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University’s mission.

Risk Classification

Data Risk Classifcation Examples

Server Examples

Application Examples

Approved Services

Welcome to Aamusted, where keeping our information safe is a top priority. We’ve sorted our information into different categories based on how sensitive it is. This helps us decide who can access it and lets us put the right security measures in place to protect it from unauthorized access.

At Aamusted, we’re serious about making sure only the right people can get to specific information. We don’t stop at just sorting things out – we also add extra layers of security to make sure no one who shouldn’t be accessing our data can get in. This way, we’re always staying ahead of potential problems and making sure the information you trust us with stays private and secure.

Important message for  Aamusted researchers: With the exception of regulated data like Protected Health Information (PHI), Social Security Numbers (SSNs), and financial account numbers, most research data and systems are generally classified as Low Risk. Please refer to the classification definitions and examples provided below to accurately assess the appropriate risk level. For detailed information security practices and guidelines related to research computing systems.

Consult Section 1.10 of the Research Policy Handbook. Your understanding and adherence to these guidelines are crucial for maintaining the security and integrity of our research data at Aamusted.

In addition to understanding risk classifications, for Moderate and High Risk Data, be sure to take all necessary steps to protect sensitive data at Aamusted

Low Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk and: 

  1. The data is intended for public disclosure, or
  2. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.
Moderate Risk

Data and systems are classified as Moderate Risk if they are not considered to be a low risk or High Risk, and:

  1. The data is not generally available to the public, or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.
High Risk

Data and systems are classified as High Risk if:

  1. Protection of the data is required by law/regulation,
  2. Aamusted is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
  3. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Data Risk Classification Examples

Use the examples below to determine which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.

Low Risk
  • Research data (at data owner’s discretion)
  • Staffs and Students IDs
  • Information authorized to be available on or through Aamusted website without staffs and student ID authentication.
  • Policy and procedure manuals designated by the owner as public.
  • Job postings
  • University contact information not designated by the individual as “private”.
  • Information in the public domain
  • Publicly available campus maps
Moderate Risk
  • Unpublished research data (at data owner’s discretion).
  • Student records and admission applications.
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information.
  • Non-public Aamusted policies and policy manuals.
  • Non-public contracts.
  • Aamusted internal memos and email, non-public reports, budgets, plans, financial info.
  • University and employee ID numbers.
  • Project/Task/Award (PTA) numbers.
  • Engineering, design, and operational information regarding Aamusted infrastructure.
High Risk
  • Health Information, including Protected Health Information (PHI).
  • Health Insurance policy ID numbers.
  • Social Security Numbers.
  • Credit card numbers.
  • Financial account numbers.
  • Export controlled information.
  • Driver’s license numbers.
  • Passport and visa numbers.
  • Donor contact information and non-public gift information.

Application Risk Classification Example

An application is defined as software running on a server that is network accessible.

Low Risk
  • Applications handling Low Risk Data
  • Online maps
  • University online catalog displaying academic course descriptions
  • Bus schedules
Moderate Risk
  • Applications handling Moderate Risk Data
  • Human Resources application that stores salary information
  • Directory containing phone numbers, email addresses, and titles
  • University application that distributes information in the event of a campus emergency
  • Online application for student admissions
High Risk
  • Applications handling High Risk Data
  • Human Resources application that stores employee SSNs
  • Application that stores campus network node information
  • Application collecting personal information of donor, alumnus, or other individual
  • Application that processes credit card payments

Approved Services

This table indicates which classifications of data are allowed on a selection of commonly used Stanford University IT services.

High Risk Non-PHI Data

Payment Card Industry (PCI) data has special regulatory requirements that preclude using the services below. Contact the PCI team for assistance with handling this type of data.

High Risk PHI Data

Protected Health Information (PHI) data has special regulatory requirements that govern using the services below. Contact the DRA team for assistance handling this type of data.