Carnegie Mellon University
October 02, 2015

What is Data Classification?

Data classification organizes institutional data into categories based on level of sensitivity, value and criticality to the University if the data is disclosed, altered or destroyed without authorization.

There are designated individuals at Carnegie Mellon with the Data Steward role. These individuals classify institutional data  into three categories: public, private and restricted. It is important to know the type of data you interact with to understand your role in its protection.

Public Data
Public data has no restrictions on reading and sharing. It includes information like website content, program and course details or marketing materials. There is no risk to the University should this data be exposed.  

Private Data
Unauthorized exposure of private data could negatively affect the University and is considered a moderate risk. For this reason, only authorized individuals should access private data. Examples of private data include business partner agreements or contracts.

Restricted Data
Unauthorized disclosure of restricted data holds a high risk to the University with potential exposure to financial or legal risks. Education records, credit cards, Protected Health Information (PHI), and Personally Identifiable Information (PII) are examples of restricted data.

Carnegie Mellon has established high-level security and privacy controls to protect restricted data from unauthorized disclosure, alteration or destruction. Access to this data should be limited to an individual or a group on a need-to-know basis. 

University employees working with or managing systems with private and restricted data should take protective measures found in the Guidelines for Data Protection to secure the information from unauthorized disclosure. These include: the use of strong passwords, requesting permission to grant access, physical security and proper disposal of data.

The best strategy for protecting University data is to understand and take responsibility for the type of data you handle. Pay attention to security warnings and announcements and be aware of suspicious emails. Continue to be vigilant about patching, scanning your system for viruses, and managing your passwords.

If you suspect a data compromise, contact the Information Security Office’s incident response team at iso-ir@andrew.cmu.edu immediately.

You can learn more about Data Classification and Data Protection guidelines at http://www.cmu.edu/iso/.