These are concise definitions. For detailed classifications, please refer to the Information Technology Services Asset Management policy.
Information that is considered personally identifiable or sensitive scientific or sponsored project information. Access to this information is tightly restricted based on legal requirements and the concept of “need to know”.
Critical information currently includes (but is not limited to):
- Health information protected by HIPAA
- The first name (or first initial) and last name of an individual, along with one or more of the following:
- Social security number
- Driver's license number or state identification card number
- Passport number
- Financial account number, credit card number, or financial account access codes
Information used for the purpose of conducting University business -- the disclosure, alteration, or destruction of which could result in a moderate level of risk to the University. Information that is not explicitly classified as Critical or Public is treated as Institutional.
Institutional information currently includes (but is not limited to):
- Student record information protected by FERPA
- Health records maintained in student files (these are protected by FERPA, not HIPAA)
- Health information not protected by HIPAA
Information made freely available to the public, or if disclosed, is not expected to cause harm to ISU or any associated individual.