WVSOM has categorized its data and information systems into risk levels of sensitivity for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Accurate categorization provides the basis to apply an appropriate level of security to institutional data. These categorizations take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth.
Low level of sensitivity
Public data categorization is not considered confidential, and may be granted to a requestor and made accessible to the public and represents the lowest risk. Any loss of availability, integrity, and confidentiality would not be detrimental to the finances, safety, reputation or mission of WVSOM. However, the integrity of public data must be protected and maintained, with the owner of the data giving the appropriate authorization to replicate the data.
Internal Data, moderate level of sensitivity
The private data categorization is WVSOM proprietary in nature and may have other privacy and ethical considerations, but not necessarily a direct compliance requirement (statutory, regulatory or legal) requiring protection and presents moderate risk. The loss of availability, integrity and confidentiality could have a mild impact to the finances, safety, reputation or mission of WVSOM. The private data categorization should be reserved for WVSOM personnel who have a job function related to its relevancy and business purpose for accessing it.
Confidential, highest level of sensitivity
The restricted data categorization is applied to the most confidential data elements that are protected by statues, policies and regulations (FERPA, HIPAA, PCI DSS) and presents the highest risk. It may include data that isn’t under legal statute, but data which the WVSOM data administrators and owners have deemed to have restricted access. The loss of availability, integrity, and confidentiality could have a substantial, negative impact to WVSOM and its finances, safety, reputation or mission.
Use the examples below to determine which data categorization standard is appropriate for a particular type of data. When mixed data falls into multiple categories or has multiple levels of sensitivity, use the categorization with the highest sensitivity level across all.
An application is defined as software running on a server that is network accessible or installed on a local machine.
A server is defined as a host that provides a network accessible service.
WVSOM Information Technology Department has put together a list of approved services and associated categories (login required).