Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that classification. E-mail should be classified by the data or information contained therein. For example, e-mails that relate to specifically identified students must be kept as confidential education records. Each user should protect their e-mails as required under PS-107 and the “Use of E-Mail” policy.
Note: If you are creating a new information system that will store or handle Confidential Data, you must inform the IT Security & Policy Office.
|Data Type||Legal Requirements||Reputation Risk||Other Institutional Risk||Access||Examples|
|Confidential Data||Protection of data is required by law (i.e. HIPAA, FERPA, GLBA, etc.)||High||Information which provides access to resources, physical or virtual||Only those individuals designated with approved access, signed non-disclosure agreements, and a need-to-know||
|Private Data||LSU has a contractual obligation to protect the data||Medium||Smaller subsets of protected data from a school or department||LSU employees and non-employees who have a business need-to-know||
|Public Data||Protection of data is at the discretion of the owner or custodian||Low||General University information||LSU affiliates and general public with a need-to-know||