Page Comparison

Data Risk Classification Category

Category 3 - Restricted

Minimum Security Standard

 800-53 High

Risk from Disclosure

Definition

• Protection of the data is required by law/regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
• Restricted data is defined using the definition of private information in the New York State Security and Breach Notification Act as a foundation: bank account/credit card/debit card numbers, social security numbers, state-issued driver license numbers, and state-issued non-driver identification numbers. To this list University policy adds protected health information (PHI), I.T. authentication credentials, and passport numbers.
• Restricted data may be exempt from disclosure/release under the New York State Freedom of Information Law (FOIL). The Information Security Breach and Notification Act requires the University to disclose any breach of the data affected individuals.

Examples

• Social security number (SSN)
• Driver license number
• State-issued non-driver ID number
• Bank/financial account number
• Credit/debit card number (CCN)
• Protected Health Information
• Passport number
• University I.T. authentication credentials that has access to any of the above data elements or systems that if compromised could have a significant adverse impact on our the mission, safety, finances, or reputation of the University.
• Documents protected by attorney-client privilege