Information Technology, Documents, & Records
Data Risk Classification Guidelines
Carleton College is committed to protecting the privacy of its students, alumni, parents, faculty, staff, and all affiliated entries, as well as protecting the confidentiality, integrity and availability of information important to the College’s mission. Carleton has classified its information assets into risk based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Special note regarding Generative AI: Although some providers claim they won’t incorporate user data into their learning model, it is advisable and considered best practice to avoid putting any medium- or high-risk data into an AI platform, such as ChatGPT and Google Bard.
Special note to Carleton researchers: Except for regulated data such as Protected Health Information (PHI), Social Security Numbers, and financial account numbers, research data and systems predominately fall into the Low Risk classification. Review the classification definitions and examples below to determine the appropriate risk level to apply.
- Data Risk Classification Examples
- Application Risk Classification Examples
- Server Risk Classification Examples
- End-Point Risk Classification Examples
Data and systems are classified as Low Risk if they are not considered to be Medium or High Risk, and the data is intended for public disclosure.
Data systems are classified as Medium Risk if they are not considered to be High Risk, and the data is not generally available to the public, which includes data whose loss could have an impact on the College’s mission, safety, finances or reputation.
Data and systems are classified as High Risk if protection of the data is required by law/regulation or if Carleton is required to self report to the government and/or provide notice to the individual if the data is inappropriately accessed.
Data Risk Classification Examples
Use the examples below to determine which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.
- Research data (at data owner’s discretion)
- Carleton Network ID’s
- Information authorized to be available on or through Carleton’s website without Carleton Network ID authentication
- Policy and procedure manuals
- Job postings
- College contact information in the Carleton Directory
- Information in the public domain
- Publicly available campus maps
- Unpublished research data (at data owner’s discretion)
- Student records and admission applications
- Grades and other student work product
- Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
- Non-public Carleton policies and policy manuals
- Non-public contracts
- Carleton internal memos and email, nonpublic reports, budgets, plans, financial information
- College and employee ID numbers
- Project/task/award (PTA) numbers
- Engineering design and operational information regarding Carleton infrastructure
- Licensed software & software license keys
- Donor contact information and nonpublic gift information
- Health information, including Protected Health Information (PHI)
- Health Insurance policy ID numbers • Social Security Numbers
- Credit card numbers
- Financial account numbers
- Information covered by U.S. export laws
- Driver’s license numbers
- Passport and Visa numbers
- Passwords and Security keys
Application Risk Classification Examples
An application is defined as software running on a server that is network accessible and that stores, processes or transmits College data. When mixed data falls into multiple risk categories, use the highest risk classification across all.
- Applications handling Low Risk Data
- Online maps
- College online catalog displaying academic course descriptions
- Bus schedules
- Applications handling Medium Risk Data
- Human Resources application that stores salary information
- Directory containing phone numbers, email addresses, and titles
- College application that distributes information in the event of a campus emergency
- Online application for student admission
- Application collecting personal information of donor, alumnus, or other individual
- Applications handling High Risk Data
- Human Resources application that stores employee SSNs
- Application that stores campus network node information
- Application that processes credit card payments
Server Risk Classification Examples
A server is defined as a host that provides a network accessible service. When mixed data falls into multiple risk categories, use the highest risk classification across all.
- Servers used for research computing purposes that do not involve Medium or High risk data
- Servers with potentially lower response time for parts replacement
- For example: File server used to store published public data, database server containing Network ID’s only
- Servers handling Medium Risk Data
- Servers with industry standard practices for patching and monitoring
- For example: for systems that store student records, salary and other financial information and nonpublic College contracts
- Servers handling High Risk Data
- Servers with the highest level of restricted access, fail-over and monitoring
- For example: for hosting College email systems, Active Directory and Domain Name Server (DNS)
End-Point Risk Classification Examples
An end-point computer is a device that community members use to access College data. When mixed data falls into multiple risk categories, use the highest risk classification across all.
- End-point computers in public / shared locations
- Unprotected mobile devices
- College-owned and personally-owned computers
- Encrypted or unencrypted desktop or laptop computers
- Mobile devices with pin code (and two-factor)
- College-owned computers and fully patched and protected personal computers.
- Encrypted desktop or laptop computers
- End-point computers with login password and auto-screen lock
- College-owned computers (i.e. high risk data should not be synced to personal computers).
This chart is intended to be a general guide to direct users to appropriate data storage solutions. The list does not include all campus applications nor does it provide all information needed to store data in these applications securely. A procedural document is available from Information Technology Service (ITS)2 .
If your service is not listed consider it available for LOW RISK data only.
In addition to the services detailed below, Carleton College contracts for storage of medium to high risk data in specialized third party products such as Colleague, Slate and Advance.
Any Carleton or non-Carleton desktop or portable device or system
(i) A credit card primary account number (PAN) has no more than the first six and the last four digits intact, and
(ii) all other Prohibited or Restricted numbers have only the last four intact.
The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect Carleton’s data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.
Payment Card Industry Data Security Standards
The practices used by the credit card industry to protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process store, or have access to Carleton’s Prohibited or Restricted data. The most recent version of the PCI DSS is available here https://www.pcisecuritystandards.org/pci_security/
Protected Health Information (PHI)
All individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the College’s HIPAA Officer.
A computing device located in a secure Carleton facility and with access control protections that meet current Payment Card Industry Data Security Standards.
Information required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA) Student Records include Carleton-help student transcripts (official and unofficial), and Carleton-held records related to (i) academic advising (ii) health/disability, (III) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student. Application for student admission are not considered to be Student Records unless and until the student attends Carleton.
Who do I contact for questions?
|FERPA Compliance Student Records
|Submit help request https://apps.carleton.edu/campus/registrar/
|Employee Records, including PHI
|PCI-DSS (credit cards)
|PHI (health info)
|Student Health & Counseling
|Title IX Records
|Title IX Coordinator
|Research Subject Data
|Institutional Review Board
|CTO or Information
Suspected Information Security Incident
Information Technology Services: X 5999 or firstname.lastname@example.org
Report Lost or Stolen Device
Information Security Officer: X 5999 or email@example.com
Campus Security https: X 4444
Policy creation date: August 2016
Last Revised: August 29, 2023
Last Reviewed: August 29, 2023
Maintained by: Information Technology Services