Help Desk: (814)865-HELP security@psu.edu

Information Classification

Penn State's information is valuable. We'll help you protect it.

 

 

 

How to protect the information you work with depends on its classification.

University Policy AD95 outlines the different information classification types and the security controls you are required to use for each of them.

There are four different types of information classification: Restricted, High, Moderate, Low.

 

If your unit processes or stores High or Restricted information, you must have an Authority to Operate (ATO).

 

Restricted (Level 4)

Access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships. Examples include:

  • Payment Card Industry Data Security Standard (PCI-DSS) Data
  • Data subject to Federal Information Security Management Act (FISMA) moderate or high standards

High (Level 3)

Unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm. Compliance requires are not as strict as for Restricted Information. Examples include:

  • Personally Identifiable Information (PII) as defined in Privacy Policy AD53
  • Health Insurance Portability and Accountability Act (HIPAA) data

Moderate (Level 2)

Unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include but are not limited to social, psychological, reputational, financial, or legal harm. Examples include:

  • Non-PII student records
  • Personnel records

Low (Level 1)

Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public data. Examples include:

  • Data made freely available by public sources
  • Published data
  • Educational data
  • Initial and intermediate Research Data

Information Classification Tool

To use the info classification tool, start by typing in the type of information you have in the search box (for example, “credit card number” or “passport number”). The tool will narrow down your results based on your search criteria.

Data ClassificationData TypeData DefinitionData LevelAdditional Information/Links
RESTRICTED INFORMATIONPayment Card Industry Data Security Standard (PCI-DSS) Information related to credit, debit, or other payment cards L4
RESTRICTED INFORMATIONData subject to Federal Information Security Management ACT (FISMA) moderate or high standardsFederal Information Security Management Act of 2002, a United States federal law as Title III of the E-Government Act of 2002, which requires federal agencies to develop, document, and implement information security systems and policies that support agency operationsL4
RESTRICTED INFORMATIONExport Controlled DataThe U.S. governments regulation of the transfer of information, commodities, technology, and software considered to be strategically important to the U.S. in the interest of national security, economic and/or foreign policy concerns. L4https://universityethics.psu.edu/export-compliance
RESTRICTED INFORMATIONExport Administration Regulations Data (EAR)U.S. Department of Commerce regulations regulating the export of “dual-use” items. These items include goods and related technology, including technical data and technical assistance, which are designed for commercial purposes but may have military applicationsL4https://www.gpo.gov/fdsys/pkg/CFR-2011-title15-vol2/xml/CFR-2011-title15-vol2-subtitleB-chapVII-subchapC.xml
RESTRICTED INFORMATIONInternational Traffic in Arms Regulations (ITAR) DataU.S. regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML).L4https://www.pmddtc.state.gov/regulations_laws/itar.htm
RESTRICTED INFORMATIONNational Security Interest (NSI)Information that has been determined, pursuant to Executive Order (EO) 13526, “Classified National Security Information,” or any predecessor order, to require protection against unauthorized disclosure. National Security-Related Information Unclassified information related to national defense or foreign relations of the United States (U.S.).L4
HIGH INFORMATIONSocial Security Number (SSN)L3
HIGH INFORMATIONDriver's License NumberL3
HIGH INFORMATIONState Identification Numbers (in lieu of a Driver's License Number)L3
HIGH INFORMATIONPassport NumberL3
HIGH INFORMATIONCredit Card Numbers (Not Corporate Account Numbers)L3
HIGH INFORMATIONFinancial Account NumbersL3
HIGH INFORMATIONBiometric Datapersonal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic daFacial images/scans, fingerprint identification, retina images/scans, iris scans, etc. L3
HIGH INFORMATIONFingerprintsL3
HIGH INFORMATIONRetina ImagesL3
HIGH INFORMATIONFacial Images/ScansL3Facial recognition for identification and biometric scanning
HIGH INFORMATIONDNA ProfilesDNA fingerprinting, DNA testing, or DNA typing L3
HIGH INFORMATIONProtected Health Information (PHI)any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.L3
HIGH INFORMATIONPHI (classified as HIPAA)Individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearinghouse, or other employee of one of the Covered Components of the University.  This PHI is confidential and must be treated as protected under HIPAA. Protected Health Information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. This applies to areas at Penn State that have been determined and identified as a HIPAA Covered Component. L3https://security.psu.edu/hipaa/
HIGH INFORMATIONIdentifiable Human Subject Data (Research)L3https://www.research.psu.edu/irb/policies

There are several classifications which apply to human subject data. For example, sensitive information (psychological profiles, medical information, or other personally-identifiable information) would fall under "high" information. Non-identifiable information (for example, taste testing data at the Creamery) would fall under low. For additional questions, please email security@psu.edu
HIGH INFORMATIONStudent Health RecordsL3
HIGH INFORMATIONPast, Present, or future physical mental health or condition of an individual Individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearinghouse, or other employee of one of the Covered Components of the University.  This PHI is confidential and must be treated as protected under HIPAA. Protected Health Information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.L3
HIGH INFORMATIONProvisions of health care to an individual by a "identified" HIPAA Covered ComponentIndividually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearinghouse, or other employee of one of the Covered Components of the University.  This PHI is confidential and must be treated as protected under HIPAA. Protected Health Information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.L3https://www.archives.gov/cui/registry/category-list
HIGH INFORMATIONControlled Unclassified Information (CUI)L3
HIGH INFORMATIONAny health informaiton collected, retained, and stored by an "identified" HIPAA Covered Component Refer to Protected Health Information (classified as HIPAA)L3
HIGH INFORMATIONI-9 formsL3
HIGH INFORMATIONHealth Diagnoses (e.g. mental health, sexual, drug/alcohol abuse) L3
HIGH INFORMATIONGenetic InformationInformation about an individual's genetic tests and the genetic test of an individual's family members, as well as information about the manifestation of a disease or disorder in an individual's family member (i.e. family medical history). L3
HIGH INFORMATIONPersonal financial information held by financial institutions and higher education ogranizations as related to student loan and financial aid applications (Gramm Leach Bliley Act (GLBA) (e.g. student loan information, student financial aid and grant information, and payment history) L3
HIGH INFORMATIONPasswordsL3Please email security@psu.edu for clarification/guidance.
HIGH INFORMATIONNetwork DiagramsL3This pertains to enterprise level systems or other diagrams that are specific to systems that store large repositories of L3 and L4 information. (Please email security@psu.edu for clarification/guidance.)
HIGH INFORMATIONIT Security Program PlansL3
MODERATE INFORMATIONIT Security Incident InformationL2Unless otherwise specified by the Office of Information Security
HIGH INFORMATIONAccess and Authorization LogsL3in conjunction with other L3 or L4 data elements. Please email security@psu.edu for guidance.
MODERATE INFORMATIONFirewall RulesL2
MODERATE INFORMATIONEquipment/System Inventory List(s)L2
HIGH INFORMATIONGramm Leach Bliley Act (GLBA) informationPersonal financial information held by financial institutions and higher education ogranizations as related to student loan and financial aid applications (e.g. student loan information, student financial aid and grant information, and payment history) L3
HIGH INFORMATIONPassword QuestionsL3
HIGH INFORMATIONPersonally Identifiable Information (PII)Information maintained by the University that can be used to distinguish or trace an individual's identity that specifically includes Social Security Numbers (SSNs), credit card numbers, bank account numbers, Driver's License numbers, state ID numbers, passport numbers, biometric data (including fingerprints, retina images, and DNA profile), or protected health information. These data elements are defined by the University as personally identifiable information. L3https://policy.psu.edu/policies/ad53
HIGH INFORMATIONDonor financial informationL3
HIGH INFORMATIONUniversity Financial InformationL3
HIGH INFORMATIONFederal Tax InformationL3
MODERATE INFORMATIONDate of BirthL2
MODERATE INFORMATIONDonor information that DOES NOT include financial informationL2
MODERATE INFORMATIONNational Identification NumbersL2
MODERATE INFORMATIONPersonal/Home AddressL2
MODERATE INFORMATIONPersonal/Home PhoneL2
MODERATE INFORMATIONPersonal/Home EmailL2
MODERATE INFORMATIONIP Address (when linked)L2
MODERATE INFORMATIONNon-PII Personal RecordsL2
MODERATE INFORMATIONAttorney/Client PrivilegedL2
MODERATE INFORMATIONImmigration Documentation (e.g. visas)L2
MODERATE INFORMATIONContracts with third-party entitiesL2
MODERATE INFORMATIONIntellectual or other Proprietary PropertyL2
MODERATE INFORMATIONPublic Safety and Security InformationL2
MODERATE INFORMATIONEmergency Planning InformationL2
MODERATE INFORMATIONCourse information and gradesL2FERPA
MODERATE INFORMATIONStudent TranscriptsL2FERPA
MODERATE INFORMATIONClass SchedulesL2
MODERATE INFORMATIONAdvising NotesL2
MODERATE INFORMATIONDisciplinary recordsL2
MODERATE INFORMATIONCriminal RecordsL2
MODERATE INFORMATIONPenn State Purchasing CardsL2
MODERATE INFORMATION
Penn State Identification Numbers (PSU ID #s)L2
MODERATE INFORMATIONUDriveacademic storage for lab/classroom machines including Media Commons systemsL2UDrive is designed to store personal data that is classified as Low or Moderate. If you wish to store data that is classified as High or Restricted, you should not store it on the UDrive and instead use storage designed for these types of classifications. Please contact security@psu.edu for guidance.
MODERATE INFORMATIONSalary InformationL2
LOW INFORMATIONL1
LOW INFORMATIONStudent Name, Major, and Degree L1FERPA
LOW INFORMATIONPSU Email AddressL1
LOW INFORMATIONDirectory Information (unless there is a confidentiality hold)L1
LOW INFORMATIONData made freely available to public sourcesL1
LOW INFORMATIONNon- PII Human resources informationL1
LOW INFORMATIONBudgetsL1
LOW INFORMATIONUniversity Insurance ClaimsL1
LOW INFORMATIONPublished Research (barring other publication restrictions)L1
LOW INFORMATIONUnpublished Research (at the discretion of the researcher)L1
LOW INFORMATIONPublic WebsitesL1
LOW INFORMATIONCourse CatalogsL1
LOW INFORMATIONInformation in the public domainL1
LOW INFORMATIONIP Address (not linked to any other data)L1
LOW INFORMATIONUsernameL1
LOW INFORMATIONGenderL1
LOW INFORMATIONRaceL1
LOW INFORMATIONAgeL1
LOW INFORMATIONJRW/PMWL1
LOW INFORMATIONGeneral institutional and business information not classified as Restricted, High, or Moderate L1