Data Classification Guidance

Data classification helps an organization understand the value of its data and identify which data is more sensitive. In the context of cybersecurity it implies the level of caution and care that should be applied, because not all data is the same. The more sensitive the data, the more cautious you must be about sharing it with others and the more protections it needs to safeguard it from mishandling or misuse.

Vanderbilt University has a Data Classification Policy that has categorized VU data into 4 levels based on the amount of negative impact it poses to the university should it be accessed, altered, or destroyed by an unauthorized individual. This table is a supplement to the policy and is intended to help VU community members understand the differences in classification levels. It is also intended to help guide data owners for labeling their data by providing descriptions and illustrative examples. If you are not sure which classification level your data falls in or have questions about data handling, contact datagovernance@vanderbilt.edu.

When talking about data, descriptive terms such as "sensitive", "confidential", "restricted", etc. may be used interchangeably. It is worth noting that while they are similar, there are small nuanced differences. Sensitive could be considered an umbrella term for all data that is meant to be non-public. Confidential (private to you or VU) would be one specific type of sensitive data and restricted (covered by regulation or contract) another type. They are both sensitive, but the latter is more so because of its legal implications.

	Non-sensitive		Sensitive
Classification	Level 1 Public	Level 2 Institutional Use Only	Level 3 Restricted	Level 4 Critical
Description	Intended for public release or distribution.	Private to V and should not be available to the non-VU individuals without permission.	Confidential by law or contract, or should not be shared with unauthorized persons.	Confidential by law or contract, and requires bespoke security requirements.
Risk Exposure	Little or no risk	Heightened level of risk (e.g., would result in diminished competitive advantage or reputation)	Significant level of risk (e.g., has increased legal implication)	Severe level of risk (e.g., hefty fines, cost-restrictive security implementation)
Examples	News Course catalogs Job postings Directory info General info that is openly shared	Non-public contracts Internal budgets, blueprints, plans Unpublished research data Aggregated internal data about people	Authenticators and verifiers Donors and donation info Confidentiality or Non-Disclosure Agreements (CDA, NDA) Personally Identifiable Information (PII) Family Educational Rights and Privacy Act (FERPA) Protected Health Information (PHI, HIPAA) General Data Protection Regulation (GDPR) Data Use Agreement (DUA)	Payment Card Industry (PCI) Gramm Leach Bliley Act (GLBA) Controlled Unclassified Information (CUI) Export controlled information Non-public law enforcement records created by VUPD
Access	General public	Vanderbilt personnel only	Specific Vanderbilt personnel	Specific Vanderbilt personnel
File Storage Recommendations* *Based on Cybersecurity initial assessment. Additional storage solution assessments are underway (e.g., ACCRE).	All information systems	All Vanderbilt University owned information systems	VUIT Issued Workstations VUIT Managed: MS OneDrive MS SharePoint MS Teams MS Azure Box AWS For compliance or regulatory data, please contact Cybersecurity for further consultation	Determined on a case by case basis Due to the criticality and sensitivity level, we recommend you contact the Office of Cybersecurity for the appropriate storage solutions.