Data Classification Guidance

Data classification helps an organization understand the value of its data and identify which data is more sensitive. In the context of cybersecurity it implies the level of caution and care that should be applied, because not all data is the same. The more sensitive the data, the more cautious you must be about sharing it with others and the more protections it needs to safeguard it from mishandling or misuse.

Vanderbilt University has a Data Classification Policy that has categorized VU data into 4 levels based on the amount of negative impact it poses to the university should it be accessed, altered, or destroyed by an unauthorized individual. This table is a supplement to the policy and is intended to help VU community members understand the differences in classification levels. It is also intended to help guide data owners for labeling their data by providing descriptions and illustrative examples. If you are not sure which classification level your data falls in or have questions about data handling, contact datagovernance@vanderbilt.edu.

When talking about data, descriptive terms such as "sensitive", "confidential", "restricted", etc. may be used interchangeably. It is worth noting that while they are similar, there are small nuanced differences. Sensitive could be considered an umbrella term for all data that is meant to be non-public. Confidential (private to you or VU) would be one specific type of sensitive data and restricted (covered by regulation or contract) another type. They are both sensitive, but the latter is more so because of its legal implications.

Applying Data Classification in Microsoft Tools

To learn how to best apply Data Classification labeling in Microsoft tools, please download the MS File Sensitivity Labeling Guide.

 

 Non-sensitive Sensitive 
ClassificationLevel 1 PublicLevel 2 Institutional Use OnlyLevel 3 RestrictedLevel 4 Critical
DescriptionData that is intended for public release or distribution.Data that is private and should not be available to the non-VU individuals without permission.Data that must be kept confidential by law or contract, or should not be shared with unauthorized persons.Data that is protected by regulation and requires bespoke security implementation.
Risk ExposureLittle or no risk to the UniversityHeightened level of risk to the UniversitySignificant level of risk to the UniversitySevere level of risk to the University
Examples
  • News
  • Course catalogs
  • Job postings
  • Directory info
  • Info on a public website
  • General info that is openly shared

File Storage Recommendations*

*Based on Cybersecurity initial assessment. Upon completion of formal assessment, approved solutions will be provided.

Assessment of additional storage solutions is underway (e.g., ACCRE) and recommendations will be updated once complete.

All Vanderbilt University owned information systemsAll Vanderbilt University owned information systems

VUIT Issued Workstations (Windows and MacOS)

VUIT Managed:

For compliance or regulatory data, please contact Cybersecurity for further consultation

Due to the criticality and sensitivity level, we recommend you contact the Office of Cybersecurity for the appropriate storage solutions