policies & standards

Information Security

Information Classification 

Penn State’s information is valuable. We’ll help you protect it.

classification

CLASSIFICATION TYPES

How to protect the information you work with depends on its classification.

University Policy AD95 outlines the different information classification types and the security controls you are required to use for each of them.

There are four different types of information classification.

(Click a level to expand content.)

Restricted (Level 4)

Access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships. Examples include:

  • Payment Card Industry Data Security Standard (PCI-DSS) Data
  • Data subject to Federal Information Security Management Act (FISMA) moderate or high standards

Quick Guide

High (Level 3)

Unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm. Compliance requirements are not as strict as for Restricted Information. Examples include:

  • Personally Identifiable Information (PII) as defined in Privacy Policy AD53
  • Health Insurance Portability and Accountability Act (HIPAA) data

Quick Guide

Moderate (Level 2)

Unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include but are not limited to social, psychological, reputational, financial, or legal harm. Examples include:

  • Non-PII student records
  • Personnel records

Quick Guide

Low (Level 1)

Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public data. Examples include:

  • Data made freely available by public sources
  • Published data
  • Educational data
  • Initial and intermediate Research Data

Quick Guide If your unit processes or stores High or Restricted information, you must have an Authority to Operate (ATO).