Search Stanford:
 

Internal Audit

• Overview
• About Internal Audit
• Documents
• Information Security & IT Audit
• Resources, External Links

Contact Information

Institutional Compliance Program

• Overview
• Compliance Initiative
• Offices and Officers
• Code of Conduct
• Committee Highlights
• Relevant Policies
• Compliance Helpline

STARS

• Overview
• STARS v9 Upgrade Information

Related Pages

• Business Affairs
• Office of the General Counsel
• Information Security Office

• Internal Audit & Institutional Compliance
• Data Classification Guidelines

Stanford University Data Classification

Introduction

Use these criteria to determine which data classification under Administrative Guide Memo #63, Information Security, is appropriate for a particular information or infrastructure system.  A positive response to the highest category in any row is sufficient to place that system into that Classification.

PLEASE NOTE: In case of a suspected Information Security Incident as described in the Information Security Incident Response Policy, AGM #67, involving any of the following items, the University’s Information Security Office (Report an Incident) must be contacted immediately-

• Social Security Numbers
• Credit Card Numbers
• Bank Account Numbers
• Driver's License Numbers

All new information systems that store, handle or process Restricted Data should be assessed by a formal Information Security Assessment.

Data Classification Matrix

	Restricted Data (highest, most sensitive)	Sensitive Data (moderate level of sensitivity)	Public Data (low level of sensitivity)
Legal requirements	Protection of data is required by federal or state law/regulations (e.g., see list of specific HIPAA and FERPA data elements) or University contracts (i.e. protected credit card information)	Data whose loss, corruption or unauthorized disclosure does not necessarily result in any business, financial or legal loss, but which the University deems critical to business operations	Protection of data is at the discretion of the owner or custodian
Reputation risk	High	Medium	Low
Other Institutional Risks	Information which involves issues of personal privacy, or may impair the academic, research or business functions of the  University, including access to physical or virtual resources	Smaller subsets of protected data from a school or department Information that Stanford has an ethical responsibility to protect	General university information
Access	Only individuals designated with approved access and signed non-disclosure agreements	Stanford employees and non-employees who have a business need to know	Stanford affiliates and general public with a need to know
Examples	Medical Students Prospective students Personnel Donor or prospect Financial Contracts Physical plant detail Credit card numbers Certain management information See below for more specific examples	Information resources with access to restricted data Research detail or results that are not restricted data Library transactions (e.g., catalog, circulation, acquisitions) Financial transactions which do not include restricted data (e.g., telephone billing) Information covered by non-disclosure agreements	Campus maps Business contact data (e.g., directory information) Email

<top>

More Specific Examples of Restricted Data

HIPAA - Protected Health Information

• Patient names
• Street address, city, state zip code
• Dates (except year) for dates related to an individual
• Telephone / facsjmile numbers
• E-mail, URL's, & IP address #s
• Social security numbers
• Account/Medical record numbers
• Health plan beneficiary numbers
• Certificates/license #s
• Vehicle identification & serial numbers
• Device identification & serial numbers
• Biometric identifiers
• Full face images
• Any other unique identifying number, characteristic, or code
• Payment guarantor's information

For more information, see Stanford's HIPAA web site.

<top>

FERPA - Student Records

• Grades / transcripts
• Class lists or enrollment information
• Financial aid, grant or loan information
• Athletics or departmental recruiting information
• Student Financial Services information
• Student tuition bills
• Credit card numbers
• Bank account numbers
• Wire transfer numbers
• Payment history

Note that the following data is considered directory information, and may ordinarily be revealed by the University without student consent unless the student designates otherwise.

• Name
• Date of birth
• Place of birth
• Directory addresses and telephone numbers
• eMail addresses
• Mailing addresses
• Campus office address (for graduate students)
• Secondary or permanent mailing addresses
• Residence assignment and room or apartment number
• Specific quarters or semesters of registration at Stanford
• Stanford degree(s) awarded and date(s)
• Major(s), minor(s), and field(s)
• University degree honors
• Student theses and dissertations
• Participation in officially recognized sports or activities
• Weight / height of members of athletic teams
• Institution attended immediately prior to Stanford
• ID card photographs for University classroom use

For more information, see Stanford's FERPA web page.

<top>

Donor Information

• Donor name
• Graduating class & degree(s)
• Credit card information
• Bank account numbers
• Social security numbers
• Amount / what donated
• Telephone / facsimile numbers
• Personal eMail or URL addresses
• Employment information
• Family information (spouse(s), children, grandchildren)
• Medical history (alumni/family who have major medical procedures performed at Stanford Hospital / LPCH)

<top>

Employee Information

• Name, in association with:
• Social security number
• Salary information
• Bank account information
• Date of birth
• Home address or personal contact information
• Driver's license information
• Performance reviews
• Benefits information related to;
• Social security number
• Medical information (see HIPAA above)
• Worker's compensation or disability claims

<top>

Faculty / Staff Housing

Essentially all the information a Loan Broker would have for a home loan application, including:

• Name / spouse
• Social security numbers
• Credit rating / history
• Financial worth
• Income levels / sources
• Bank and financial account numbers
• Debt and credit account information

<top>

Research Information

• Private funding / sponsorship information
• Human subject information
• Lab animal care information
• Stem cell information

<top>

Business Data

• Credit card numbers (Please see Payment Card Industry information at PCI-DSS)
• Bank or brokerage account numbers
• Purchasing card (P-card) numbers
• Social Security or other Taxpayer ID numbers (Stanford's Federal Employer ID number [FEIN] is not considered Restricted Data)
• Privileged contract information (between Stanford and third parties)
  
• Confidential legal information
  

<top>

Management Data

• Detailed annual budget information
• Faculty Annual Conflict of Interest Disclosures
• University's investment information
• Non-anonymous faculty course evaluations

<top>