Data Classification Workflow
This workflow process is used to determine how to classify a set of data. Navigate the workflow by answering the questions and locating the correct heading which matches how you answered each question. If you are unsure of any question, defer to either the "no" or "not sure" option.
If you have any questions about this workflow or the Data Classification process, please contact the Information Security Office at iso@andrew.cmu.edu. Let's begin.
The Data Steward of the data in question should complete this workflow. The Data Steward is a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data. If your name is on the Data Steward Matrix for this type of data then you can proceed to the heading 1A. If your name is not on the Data Steward Matrix you should consult with the Data Steward in order to complete the Data Classification Workflow. If there is not a Data Steward for the data in question or you are not sure if you are considered the Data Steward for this data, please proceed to the heading 1B.
1A.
If your name is on the data steward matrix as the data steward for this type of data, ask yourself if the data is governed by any law or regulation, is governed by a data use or a confidentiality agreement, or if the data poses significant consequences to the University if exposed, altered, or destroyed. If you answered "Yes" to any of these questions then this data is considered Restricted. (Visit the Data Classification Guidelines to determine what "significant consequences" entails).
1B.
If you are not the Data Steward for the type of data in question and are unable to identify the Data Steward for this type of data, ask yourself if you created this data? If you answered "Yes" to this question proceed to the heading 2A. If you did not create this data, proceed to the heading 2B.
2A.
If you created this data ask yourself if the data is governed by any law or regulation, governed by a data use agreement or confidentiality agreement, or would have significant consequences to the University if exposed, altered, or destroyed. If you answered "Yes" to any of these questions then this data is considered Restricted data. (If you are unsure, visit the Data Classification Guidelines to determine the meaning of "significant" consequences).
If the data in question is not goverened by any law or regulation, have a confidentiality agreement, or have any significant consequences to the University if exposed, altered or destroyed you should proceed to the heading 3A.
2B.
If you did not create this data please consult with the Information Security Office to determine how to classify this data. The Information Security Office can be reached by email at iso@andrew.cmu.edu.
3A
If this data is not governed by any law or regulation, governed by a data use agreement or confidentiality agreement, or pse significant consequences to the University if exposed, altered, or destroyed - then ask yourself if the data in question would have any moderate consequences to the University if exposed, altered, or destroyed. (If you are unsure, visit the Data Classification Guidelines to determine the meaning of "moderate" consequences).
If the data does have moderate consequences to the University if exposed, altered, or destroyed then it can be classified as Private data. If the data does not have moderate consequences to the University if exposed, altered, or destroyed then it can be classified as Public data.
This concludes the Data Classification Workflow. If you still have questions about the workflow or classifying data please contact the Information Security Office by email at iso@andrew.cmu.edu.