»Data Risk Classification

Chapman is working on classifying our information assets into risk-based categories to assist our community with understanding how to identify and manage data, to protect against unauthorized access.

End-user Self Assessment

End-user self assessment is key.

Toggle Section

Defines the Risk Framework for classifying Chapman data which is a combination of:
- Regulatory requirements - PII, FERPA, HIPPA, PCI, FISMA etc.
- Impact to the University mission, safety, finances or reputation
Easy for end-user to self-assess data risk and determine appropriate technical resources to use
Allow for advance planning for working with research projects and cloud providers

Self-assess using the Framework
Use appropriate IS&T service
Contact either Legal or IS&T department for more detail

LOW Risk - Public
MODERATE Risk
HIGH Risk

- The data is intended for public disclosure
- The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances or reputation. Examples:
  - Published Research data (at data owner's discretion)
  - Information authorized to be available on or through Chapman's website without Chapman ID authentication
  - Policy and procedure manuals designated by the owner as public
  - Job postings
  - Information in the public domain
  - Publicly available campus maps
- The data is not generally available to the public
- The loss of confidentiality, integrity or availability of the data or system could have a mildly adverse impact on our mission, safety, finances or reputation.
  Examples:
  - Unpublished research data (at data owner's discretion)
  - Student records and admission applications
  - Faculty/staff employment applications, personnel files, benefits, salary, personal contact information
  - Non-public Chapman policies and policy manuals
  - Non-public contracts
  - Chapman internal memos and email, non-public reports, budgets, plans, financial info
  - University and employee ID numbers
  - Engineering, design, and operational information regarding Chapman infrastructure
- Protection of the data is required by law/regulation
- Chapman is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed
- The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
  Examples:
  - Health Information, including Protected Health Information
  - Health Insurance policy ID numbers
  - Social Security Numbers
  - Credit card numbers
  - Financial account numbers
  - Export controlled information under U.S. laws
  - Driver's license numbers
  - Passport and visa numbers
  - Donor contact information and non-public gift information
  - Information required to be kept confidential by a Non-Disclosure Agreement or terms of a contract

Certified Use of Chapman Software Products

See products listed in the chart below for a definition of their certified for use for various levels of sensitive data.

PRODUCT	HIGH RISK DATA	MODERATE RISK DATA	LOW RISK DATA
Dropbox	NO
OneDrive*
Google Drive	NO
Network Share
CrashPlan

When reviewed and approved by IS&T. Contact infosec@chapman.edu for assistance.
To see the list of approved AI software and their data classification, please visit the AI Hub.

»Data Risk Classification

End-user Self Assessment

Purpose

Your Steps to Take

Data Risk Classifications at Chapman University

Certified Use of Chapman Software Products