Risk Classifications Data - Stanford University

Có thể bạn quan tâm

Skip to main content Risk Classifications

Stanford is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.

Risk Classifications
Data Risk Classifications Examples
Server Examples
Application Examples
Approved Services

Stanford has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.

As of May 2015, a new set of classifications has been established and is now in effect for Stanford data and systems: Low Risk, Moderate Risk, and High Risk. The former framework — Prohibited, Restricted, Confidential, and Unrestricted — was phased out in January 2016.

Special note to Stanford researchers: Except for regulated data such as Protected Health Information (PHI), Social Security Numbers (SSNs), and financial account numbers, research data and systems predominately fall into the Low Risk classification. Review the classification definitions and examples below to determine the appropriate risk level to apply. See Research Policy Handbook Section 1.10 for information security practices and guidelines specific to research computing systems.

In addition to understanding risk classifications, for Moderate and High Risk Data, be sure to take all necessary steps to protect sensitive data at Stanford.

Low Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

The data is intended for public disclosure, or
The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Moderate Risk

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

The data is not generally available to the public, or
The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

High Risk

Data and systems are classified as High Risk if:

Protection of the data is required by law/regulation,
Stanford is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Data Risk Classification Examples

Use the examples below to determine which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.

View Minimum Security Standards: Endpoints

Low Risk

Research data (at data owner's discretion)
SUNet IDs
Information authorized to be available on or through Stanford's website without SUNet ID authentication
Policy and procedure manuals designated by the owner as public
Job postings
University contact information not designated by the individual as "private" in StanfordYou
Information in the public domain
Publicly available campus maps

Moderate Risk

Unpublished research data (at data owner's discretion)
Student records and admission applications
Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
Non-public Stanford policies and policy manuals
Non-public contracts
Stanford internal memos and email, non-public reports, budgets, plans, financial info
University and employee ID numbers
Project/Task/Award (PTA) numbers
Engineering, design, and operational information regarding Stanford infrastructure

High Risk

Health Information, including Protected Health Information (PHI)
Health Insurance policy ID numbers
Social Security Numbers
Credit card numbers
Financial account numbers
Export controlled information
Driver's license numbers
Passport and visa numbers
Donor contact information and non-public gift information

Server Risk Classification Examples

A server is defined as a host that provides a network accessible service.

View Minimum Security Standards: Servers

Low Risk

Servers used for research computing purposes without involving Moderate or High Risk Data
File server used to store published public data
Database server containing SUNet IDs only

Moderate Risk

Servers handling Moderate Risk Data
Database of non-public University contracts
File server containing non-public procedures/documentation
Server storing student records

High Risk

Servers handling High Risk Data
Servers managing access to High Risk systems
University IT and departmental email systems
Core campus infrastructure

Application Risk Classification Examples

An application is defined as software running on a server that is network accessible.

View Minimum Security Standards: Applications

Low Risk

Applications handling Low Risk Data
Online maps
University online catalog displaying academic course descriptions
Bus schedules

Moderate Risk

Applications handling Moderate Risk Data
Human Resources application that stores salary information
Directory containing phone numbers, email addresses, and titles
University application that distributes information in the event of a campus emergency
Online application for student admissions

High Risk

Applications handling High Risk Data
Human Resources application that stores employee SSNs
Application that stores campus network node information
Application collecting personal information of donor, alumnus, or other individual
Application that processes credit card payments

Approved Services

This table indicates which classifications of data are allowed on a selection of commonly used Stanford University IT services.

High Risk Non-PHI Data

Payment Card Industry (PCI) data has special regulatory requirements that preclude using the services below. Contact the PCI team for assistance with handling this type of data.

High Risk PHI Data

Protected Health Information (PHI) data has special regulatory requirements that govern using the services below. Contact the DRA team for assistance handling this type of data.

Stanford Service	Low Risk	Moderate Risk	High Risk: Non‑PHI	High Risk: PHI
Audio and Video Conferencing: Zoom and WebEx, Microsoft Teams IMPORTANT: Teams is only approved for PHI data with Cardinal Key.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Backups: Backup and Recovery Service for Servers (BaRS)	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Backups: CrashPlanPROe	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Calendar: Office 365	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Cardinal Fax	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Cardinal Print	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Cloud Infrastructure: Amazon Web Services, Microsoft Azure, Google Cloud PlatformIMPORTANT: Only approved for High-Risk & PHI data with the provision set up by UIT, and configured and managed by a Stanford professional services team. (e.g. Stanford Research Computing or TCG) Only HIPAA-approved services allowed for PHI-containing cloud accounts. See GCP and AWS.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Content Management: Stanford Domains	Approved for low risk data	Not approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Content Management: Drupal (Stanford Sites), WordPress	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Content Management: OpenText	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Not approved for high risk data
Database Hosting: MySQL	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Document Management: Office 365 OneDrive, SharePointIMPORTANT: Only approved for PHI data with Cardinal Key.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Document Management: Medicine Box	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Document Management: Google Drive (including Shared Drives, Docs, Sheets, Slides, and Forms)IMPORTANT: Only approved for PHI data with Cardinal Key with Google Drive.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Document Management: Google G Suite: All others (Photos, Jamboard, Sites, etc...)	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Electronic Data Capture (EDC): REDCap, Forte, REDCap CloudNote: Compliant with Title 21 CFR Part 11.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Electronic Signature: AdobeSignIMPORTANT: Only approved for PHI data with the system configuration set up by UIT.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Electronic Signature: DocuSign	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Email: Google Mail, Office365 (with “Secure:” in subject line)	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Email: Google Mail, Office365 (without “Secure:” in subject line)	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Email: Other Departmental Systems	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Encryption: MDM Compliant Device, Stanford Device Registration Compliant Device	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Encryption: VLRE Compliant Device	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
File Storage: AFS, CIFS, NFS	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
File Storage: Secure AFS, Secure File Storage, Wasabi Cloud Storage	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
File Transfer: Globus	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Cardinal Voice Softphone	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Slack Messaging: Public Channels	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Slack Messaging: Direct Messages and invite-only channels	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Not approved for PHI data
Issue Tracking: JIRA	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Not approved for PHI data
Network Access Control: SUNAC	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Research Computing Clusters: Sherlock and SCG	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Research Computing Clusters: Nero and CarinaIMPORTANT: A DRA review is required to introduce new research datasets.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Research Computing Storage: Oak	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Research Dataset Collaboration: RedivisIMPORTANT: A DRA review is required to introduce new research datasets.	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
ServiceNow	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Shared Computing: FarmShare	Approved for low risk data	Approved for moderate risk data	Not approved for high risk data	Not approved for high risk data
Smartsheet: Collaboration and Project Management	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Stanford Profiles: CAP	Approved for low risk data	Not approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Survey Tool: Qualtrics - University, SoM, and GSB instances	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Survey Tool: Qualtrics - All other instances	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Voice Messaging	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
VPN	Approved for low risk data	Approved for moderate risk data	Approved for general high risk data	Approved for PHI data
Web Programming: CGI	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data
Wiki: Confluence	Approved for low risk data	Approved for moderate risk data	Not approved for general high risk data	Not approved for PHI data

Stanford Home
Maps & Directions
Search Stanford
Emergency Info

Terms of Use
Privacy
Copyright
Trademarks
Non-Discrimination
Accessibility

Từ khóa » Phi Lơ

Risk Classifications Data - Stanford University

Low Risk

Moderate Risk

High Risk

Data Risk Classification Examples

Low Risk

Moderate Risk

High Risk

Server Risk Classification Examples

Low Risk

Moderate Risk

High Risk

Application Risk Classification Examples

Low Risk

Moderate Risk

High Risk

Approved Services

Tiêm Filler Là Gì? Tiêm Filler Có Hại Không?

Tác Dụng Phụ Khi Tiêm Chất Làm đầy (filler) Cho Mặt - Hello Bacsi

Hiểm Họa Khi Làm đẹp Bằng Cách Tiêm Filler | VTC14 - YouTube

Công Vụ 1 NVB - Thưa Ngài Thê-ô-phi-lơ, - Trong - Bible Gateway

Tiêm Filler Có An Toàn Không? | Vinmec

[PDF] Criteria For The Passive House, EnerPHit And PHI Low Energy ...

Cách Chơi Tú Lơ Khơ Tá La Phỏm

Tú Lơ Khơ Tá Lả

[PDF] Low-Observable Physical Host Instrumentation For Malware Analysis

Công-vụ 1:1 VIE1925

PHI LOW CARBON LTD Overview - Companies House - GOV.UK

Tổ Chức Y Tế Thế Giới Kêu Gọi Châu Phi Không Lơ Là Phòng Dịch

Liên Hệ