This is draft documentation. We are actively developing this content and are soliciting feedback on it.
Information is valued using considerations such as who can see it (confidentiality), who can change it (integrity), and having it accessible when you need it (availability). At UMass Amherst, institutional information and research data is categorized as: High, Moderate, Low, and Not Applicable (N/A). Each category denotes a unique level of sensitivity and specific security controls which include access, storage and handling requirements.
This page provides examples of the categories and the baseline security controls that apply to each category. This is not intended as an exhaustive list of information and data types or control standards for each category.
The categorization and specific control requirements for information and data are defined by the Data Stewards.
Institutional information and research data is categorized as High when the potential impact due to the loss, exposure, or unauthorized use would have a severe or catastrophic adverse effect on the University.
Examples of institutional information and research data with a categorization of High include:
Medical records
PHI (Protected Health Information) as defined Under HIPAA/HITEC (Health Insurance Portability & Accountability Act / Health Information Technology for Economic and Clinical Health Act)
Personal information
(under M.G.L. 93H, Massachusetts data breach law)
An individual's name in combination with:
Financial information
Protected Research Data
Research data that has specific compliance requirements through law, regulations, data user agreements, research contracts, etc.
Institutional information and research data categorized as High shall be protected at a minimum with the Foundational Information Security Controls, including encryption at rest and in transit. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
Institutional information and research data is categorized as Moderate when the potential impact due to the loss, exposure, or unauthorized use would have a significant adverse effect on the University.
Examples of institutional information and research data with a categorization of Moderate include:
Education records
(Under FERPA [Family Educational Rights & Privacy Act]):
Any current or past student’s:
Under University policy:
Financial records
Under the Fair & Accurate Credit Transactions Act (FACTA) and Gramm–Leach–Bliley Act (GLB)
Students’ or parents’ financial records including names, addresses, phone numbers, etc., as they relate to student financial aid information.
ID Information
Under University policy:
Protected Research Data
Research data that has specific compliance requirements through law, regulations, data user agreements, research contracts, etc.
Institutional information and research data categorized as Moderate shall be protected at a minimum with the Foundational Information Security Controls. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
Institutional information and research data is categorized as Low when the potential impact due to the loss, exposure, or unauthorized use would have a minimal adverse effect on the University.
Examples include:
Institutional information and research data categorized as Low shall be protected at a minimum with the Foundational Information Security Controls. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
A Not Applicable (N/A) confidentiality categorization of institutional information and research data refers to public information the University does not have a legal, regulatory, policy, or contractual obligation to keep confidential.
Examples include: