Data Classification Guidance

Data classification helps an organization understand the value of its data and identify which data is more sensitive. In the context of cybersecurity it implies the level of caution and care that should be applied, because not all data is the same. The more sensitive the data, the more cautious you must be about sharing it with others and the more protections it needs to safeguard it from mishandling or misuse.

Vanderbilt University has a Data Classification Policy that has categorized VU data into 4 levels based on the amount of negative impact it poses to the university should it be accessed, altered, or destroyed by an unauthorized individual. This table is a supplement to the policy and is intended to help VU community members understand the differences in classification levels. It is also intended to help guide data owners for labeling their data by providing descriptions and illustrative examples. If you are not sure which classification level your data falls in or have questions about data handling, contact datagovernance@vanderbilt.edu.

When talking about data, descriptive terms such as "sensitive", "confidential", "restricted", etc. may be used interchangeably. It is worth noting that while they are similar, there are small nuanced differences. Sensitive could be considered an umbrella term for all data that is meant to be non-public. Confidential (private to you or VU) would be one specific type of sensitive data and restricted (covered by regulation or contract) another type. They are both sensitive, but the latter is more so because of its legal implications.

 Non-sensitive Sensitive 
ClassificationLevel 1 PublicLevel 2 Institutional Use OnlyLevel 3 RestrictedLevel 4 Critical
DescriptionIntended for public release or distribution.Private to VU and should not be available to non-VU individuals without permission.Confidential by law or contract, or should not be shared with unauthorized persons.Confidential by law or contract and requires bespoke security requirements.
Risk ExposureLittle or no risk

Heightened level of risk

(e.g., would result in diminished competitive advantage or reputation)

Significant level of risk

(e.g., has increased legal implication)

Severe level of risk

(e.g., cost-restrictive security implementation and heavy legal fines)

Examples
  • News
  • Educational or course material
  • Job postings
  • Directory info
  • Marketing material or info found on a website
AccessGeneral publicVanderbilt personnelSpecific Vanderbilt personnelSpecific Vanderbilt personnel

File Storage Recommendations*

*Based on Cybersecurity initial assessment.

Additional storage solution assessments are underway (e.g., ACCRE).

All information systems or IT assetsAll Vanderbilt University owned information systems or IT assets

VUIT Issued Workstations

VUIT Managed:

For compliance or regulatory data, please contact Cybersecurity for further consultation

Determined on a case by case basis

Due to the criticality and sensitivity level, we recommend you contact the Office of Cybersecurity for the appropriate storage solutions.