Help Desk: (814)865-HELP security@psu.edu

Information Classification Decision Tool

This nine question tool will ask you a few yes or no questions to help you determine what classification your information falls under. Understanding your information classification level helps you and your IT staff, IT partners, and research administrators in understanding what information security controls are required on that information based on laws, regulations, policies, and standards.

 

If at any time you are unsure of an answer, the Office of Information Security (OIS) is available for guidance at security@psu.edu.

1. Is your data controlled by the following regulations: PCI-DSS (Payment Card Industry – Data Security Standard), FISMA (The Federal Information Security Management Act), ITAR (International Traffic in Arms Regulations), EAR (Export Administration Regulations), or other Export Control regulations?
Data Classification: RESTRICTED

Your data may be classified as Restricted, depending on the contractual obligations. Specific examples of Restricted Data include: PCI-DSS (Payment Card Industry – Data Security Standard) complaint information, Export Controlled data such as ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations), and FISMA (The Federal Information Security Management Act) controlled data.

Most information in this category will require handling standards that are unique to the law, regulation, or contract that is applicable.

Consult with OIS for guidance on how to handle this information. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

2. Does your data contain CUI (Controlled Unclassified Information – Please consult the CUI Registry and the CUI Glossary for further definitions)?
Data Classification: HIGH

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as governed by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

3. Does your data contain PII (Personally Identifiable Information defined as Social Security Numbers, Credit Card Numbers, Drivers License Numbers, and Bank Account Numbers), PHI (Personal Health Information), or other HIPAA (Health Insurance Portability and Accountability Act) governed information including but not limited to identifiable human subject research?
Data Classification: HIGH

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as governed by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

4. Is your data covered by the GLBA (Gramm-Leach Bliley Act which controls the ways that financial institutions deal with the private information of individuals) – OR – does it contain any type of IT security information such as logs, passwords, or other data elements that could allow unauthorized access to information systems?
Data Classification: HIGH

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as govered by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

5. Does your data contain FERPA (The Family Educational Rights and Privacy Act) governed student records that DO NOT contain PII (Personally Identifiable Information defined as Social Security Numbers, Credit Card Numbers, Drivers License Numbers, and Bank Account Numbers), personnel records, or donor records?
Data Classification: MODERATE

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as governed by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

6. Does your data contain Attorney/Client Privileged documents?
Data Classification: MODERATE

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as governed by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

7. Is your data subject to any contractual restrictions but does not contain CUI (Controlled Unclassified Information – Please consult the CUI Registry and the CUI Glossary for further definitions)?
Data Classification: MODERATE

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as governed by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

8. Does your data contain initial and intermediate research data or educational data?
Data Classification: LOW

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as govered by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

9. Does your data contain publicly available information, directory information, information made freely available by any public resource, or other already published data?
Data Classification: LOW

Instructions for handling data in this risk classification can be found in the Office of Information Security (OIS) maintained security standards as governed by Penn State Policy AD-95. If you have any questions please contact the Office of Information Security (OIS) at security@psu.edu.

Data Classification: UNDETERMINED

All University data is classified as either Restricted, High, Moderate, or Low. Please review the questions again to determine the proper classification for your information.

If you are still unsure of your data’s classification level, please contact the Office of Information Security (OIS) at security@psu.edu for further assistance.