The following examples of high, moderate and low risk data supplement those provided in the Data Security Standard.
High Risk Data
Moderate Risk Data
Low Risk Data
High Risk Data
Examples
- Information covered by laws and regulations governing the protection of university data resources including, but are not limited to:
- Personally identifiable information (PII)
- Payment Card Industry Data Security Standard (PCI DSS) – credit card information
- Family Educational Rights and Privacy Act (FERPA) - student educational information
- Health Insurance Portability and Accountability Act (HIPAA) - personal health information
- 15 U.S.C. 6801, implemented by 16 CFR Part 314, The Gramm Leach Bliley Act (GLB Act) – customers’ personal financial information
- Controlled Unclassified Information (CUI)
- Chapter 119.071, Florida Statutes - Florida Public Records
- Chapter 501.171, Florida Statutes – Florida Information Protection Act 2014 (FIPA)
- Vulnerability, security, or configuration information related to a campus information system, network or physical security system (F.S. 1004.055)
- Information relating to the security of the university’s technologies, processes and practices designed to protect networks, computers, data processing software and data from attack, damage or unauthorized access
- Those portions of risk assessments, evaluations, audits and other reports of the university’s information technology security program for its data, information and information technology resources which are held by the university, if the disclosure of such records would facilitate unauthorized access to or the unauthorized modification, disclosure or destruction of:
- University assets
- Data or information, whether physical or virtual
- Information technology resources, which include information relating to the security of the university’s technologies, processes and practices designed to protect networks, computers, data processing software and data from attack, damage or unauthorized access; or security information, whether physical or virtual, which relates to the university’s existing or proposed information technology systems (F.S. 1004.055)
- Information associated with a campus emergency response
Campus emergency response is defined as the university’s response to or plan for responding to an act of terrorism or other public safety crisis or emergency (F.S. 1004.0962) - Records held by the university which identify detection, investigation or response practices for suspected or confirmed information technology security incidents, including suspected or confirmed breaches, if the disclosure of such records would facilitate unauthorized access to or unauthorized modification, disclosure or destruction of information assets (F.S. 1004.055)
- Employee records designated as “Limited-Access Records” by the FSU Board of Trustees (F.S. 1012.91)
- Personal information on FSUPD law enforcement officers, their families and other protected employees as defined by F.S. 119.071
- Information processing software obtained under licensing agreement prohibiting its disclosure and where software is a trade secret (F.S. 1004.055)
- Vendor employer identification number, bank information, sealed bids, proposals or replies pursuant to competitive solicitation (F.S. 119.071)
- Information obtained by FSU from third parties under non-disclosure agreements or any other contract that designates third party information as confidential (Contracts, Laws)
- Restricted-use contractual information
- Research datasets with sensitive and/or private information provided under special agreement with a federal, state or private entity (OMB Circular A-110, Contract)
- Research information related to sponsorship, funding, human subject, etc.
- Research information and results designated in contracts as controlled unclassified information (CUI)
- Electronically stored biometric information (F.S. 119.071)
- Research datasets subject to International Traffic in Arms Regulations or Export Administration Regulation restrictions (ITAR, EAR)
- Information concerning human research subjects (Public Law 93-348)
- Unpublished grant proposals and unpublished research information (Contract, Laws)
- Unpublished manuscripts and correspondence (Contract, Laws)
- Covered defense information as defined in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - Compliance with Safeguarding Covered Defense Information Controls and Sub-Contract Clause Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting; includes information identified as controlled technical information (CTI) and controlled unclassified information (CUI)
- Information and systems controlled under the Federal Acquisition Regulations (FAR) 52.204-21 contract clause
- Information and systems designated in contracts and grants as Federal Information Security Modernization Act (FISMA) Low, FISMA Moderate or FISMA High
- All FSU attorney-client communications and university attorney work product (F.S 119.071)
- Non-public donor and alumni information
- Select data items of a student’s educational record not classified as directory information by the university, the educational record of a student who files a written request to block the release of their directory information or as stipulated under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). Education records are records that are directly related to a student and that are maintained by the university or a party acting for or on behalf of the university. FERPA provisions extend to currently or formerly enrolled student’s educational records, regardless of their age or parental-dependency status. However, FERPA does not extend to deceased students or students who have applied to FSU but have not attended any classes.
Examples of a student’s educational record considered "non-Directory" information by the university at the time of publishing these guidelines include, but are not limited to:
- FSUID
- FSUSN
- Coursework
- Transcripts, defined as any cumulative listing of a student’s grades
- Graded work, grade book, etc.
- Student and Exchange Visitor Information System (SEVIS) number
Information is subject to change. Refer to the FSU Registrar’s website for a current list of data items declared as directory information by the university.
Moderate Risk Data
Examples
- Email correspondence
- Budgetary, departmental or university planning information
- University investment information
- Library transactions (e.g., circulation, acquisitions)
- Private funding information
- Course evaluations
- De-identified information used in research
- Information from research germane to intellectual property not categorized as high risk
- Other information specifically designated as moderate risk by the university
Low Risk Data
Examples
- Financial information on public sponsored projects
- Published research
- Public use information
- Directories
- Maps
- Faculty or staff information not protected under F.S. 119.071 including:
- EMPLID
- FSUSN
- Name
- Email address
- Title
- Department
- Listed telephone number(s)
- Student information elements classified as directory information by the FSU University Registrar. (Exclusion applies for students who file a “Request to Prevent Release or Publication of Directory Information” with the Office of Admissions who retain FERPA protections over selected directory information. Refer to the FSU Office University Registrar website for a current list of FERPA directory information.)
- Name
- Date and place of birth
- Address
- Student email address
- Telephone number (if listed)
- Classification
- Major
- Participation in official university activities and sports
- Weight and height of athletic team members
- Dates of attendance
- Degrees, honors and awards received
- Most recently attended educational institution
- Digitized FSU Card photo
- EMPLID
