Data and Technology Review Request Definitions

Criticality 

  • Business Impact Nominal – Data is unavailable over 2 weeks with minimal to no impact on organizational operations, organizational Assets, or individuals. 
  • Business Impact Low – Data is unavailable for 72 hours to 2 weeks, and it could be expected to have an adverse effect on organizational operations, organizational Assets, or individuals. 
  • Business Impact High – Data is unavailable for 72 hours or less, and it could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational Assets, or individuals. 
  • Business Impact Critical – Data is related to control Systems that support the University, but if subverted, could be life-threatening to University Employees, students, and others using University facilities (e.g., attending athletic events). 

Sensitivity 

Public

The effect on confidentiality of the Data is negligible.  Data that would fit into this classification includes, but is not limited to:

  • Data that by law is available to the public without request.
  • Data on public-facing informational websites   
  • Public directory information
  • Job postings
  • Published research papers
  • Press releases
  • Campus maps
  • Course information
  • Advertising
  • FERPA Student Directory Information (excluding students who have opted out)

Internal Use Only

The effect on confidentiality of the Data is minimal to minor and does not include compliance issues.  Access to, and management of Internal Use Only Data requires authorization and is only granted to those Data Users as permitted by contract, rule, policy, functional role, or need-to-know. Data that would fit into this classification includes, but is not limited to:

  • Routine non-public business records or reports
  • Budget information
  • Purchase requisitions
  • University insurance records
  • Routine email or internal communications not containing Private or Restricted information
  • Calendar information not containing Private or Restricted information
  • Meeting notes not containing Private or Restricted information
  • Draft or unpublished research papers using publicly available data
  • Non-public policies and procedures
  • Fundraising data
  • Opinion polls or questionnaires
  • Building floor plans showing egress routes and shelter areas    

Private

Private data is classified as private due to legal, regulatory, administrative, or contractual requirements; intellectual property or ethical considerations; strategic or proprietary value; and/or other special governance of such data. Access to, and management of private data requires authorization and is only granted to those data users as permitted under applicable law, regulation, contract, rule, policy, functional role, or need-to-know. The effect on confidentiality of Private Data is moderate. Data that would fit into this classification includes, but is not limited to:

  • Intellectual Property not intended for public disclosure
  • Any information protected by a non-disclosure agreement (NDA)
  • Tennessee Unique ID
  • Employee/Faculty/Staff performance reviews
  • Faculty tenure recommendations
  • Security camera recordings
  • Donor contact information and non-public donation amounts
  • Non-public law enforcement information
  • FERPA protected academic records (eg., Grades, transcripts, GPA)
  • FERPA Student Directory Information (including students that have opted out)
  • Data flow and IT Network infrastructure diagrams
  • Internal IT configuration and operational data that could be leveraged by an attacker (eg., System configurations, internal IP ranges, firewall/router rules, ports and protocols in use, etc.)

Restricted

Restricted data is data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements. Access to, and management of restricted data is strictly limited as unauthorized use or disclosure could substantially or materially impact the university’s mission, operations, reputation, finances, or result in potential identity theft. The effect on confidentiality of Restricted Data is severe. Data that would fit into this classification includes, but is not limited to:

  • Personally Identifiable Information (PII)
  • Sensitive Identifiable Human Subject Research Information (Human Subject)
  • Government-issued ID numbers (Social Security Number, Driver’s License Number, VISA, etc.)
  • General Data Protection Regulation (GDPR)
  • Personal Information Protection Law of the People’s Republic of China (PIPL)
  • Payment Card Industry (PCI) Data
  • Financial account numbers such as banking or investment account numbers
  • Protected Health Information (PHI) per the Health Insurance Portability and Accountability Act (HIPAA)
  • Biometric information
  • Gramm–Leach–Bliley Act (GLBA) Title IV loan information
  • Authentication credentials or system integration credentials (eg. Passwords, PIN numbers, access control information, etc.)
  • Controlled Unclassified Information (CUI)
  • Export-Controlled Information (ITAR, EAR)

Any data that has not been classified by the Data Owner, legal, regulatory, administrative, contractual, rule, or policy requirements will be treated as Private until it is properly classified. For more information, refer to the Data Categorization Policy IT005.

Print Article