{"id":9107,"date":"2025-06-10T17:46:44","date_gmt":"2025-06-10T21:46:44","guid":{"rendered":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/best-practices\/data-classification-collaboration\/risk-classification\/"},"modified":"2025-06-10T18:05:16","modified_gmt":"2025-06-10T22:05:16","slug":"risk-classification","status":"publish","type":"page","link":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/","title":{"rendered":"Risk Classification"},"content":{"rendered":"

Risk Classifications<\/strong><\/h2>\n

Trinity College is committed to safeguarding the privacy of its students, alumni, faculty, and staff, and to ensuring the confidentiality, integrity, and availability of the information that supports and advances its educational mission.<\/p>\n

To uphold these commitments, Trinity classifies institutional information and data according to their risk level, enabling the implementation of appropriate handling, access, and protection measures in accordance with its legal, regulatory, and ethical responsibilities.<\/p>\n

This framework supports a culture of information security and responsible data stewardship across all members of the College community.<\/p>\n

Trinity College has classified its information assets into risk-based categories to determine who is authorized to access the information and what security measures must be taken to protect it against unauthorized access.<\/p>\n

\n
\n
\n
\n
\n

Low Risk<\/strong><\/h3>\n

Data and systems are classified as Low Risk when they do not fall under the Moderate or High Risk categories and meet at least one of the following criteria:<\/p>\n

    \n
  • \n

    The information is intended for public access or distribution.<\/p>\n<\/li>\n

  • \n

    A loss of confidentiality, integrity, or availability would result in no measurable impact on Trinity College\u2019s mission, operations, safety, finances, or reputation.<\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

    wModerate Risk<\/strong><\/h3>\n

    Data and systems are classified as Moderate Risk when they are not deemed High Risk\u00a0and meet one or more of the following criteria:<\/p>\n

      \n
    • \n

      The information is not publicly available and is intended for internal use only.<\/p>\n<\/li>\n

    • \n

      Unauthorized access, alteration, or unavailability could cause limited or short-term impact on the College\u2019s mission, operations, safety, finances, or reputation.<\/p>\n<\/li>\n<\/ul>\n

      Examples may include internal communications, data not subject to regulatory controls, or student work not governed by the Family Educational Rights and Privacy Act (FERPA).<\/p>\n

      High Risk<\/strong><\/h3>\n

      Data and systems are classified as High Risk if they meet any of the following conditions:<\/p>\n

        \n
      • \n

        Protection of the information is required by law or regulation (e.g., FERPA, HIPAA, GDPR).<\/p>\n<\/li>\n

      • \n

        Trinity College would be legally obligated to notify individuals or authorities in the event of unauthorized access or disclosure.<\/p>\n<\/li>\n

      • \n

        A breach or failure affecting confidentiality, integrity, or availability could result in significant harm to the College\u2019s mission, safety, finances, legal standing, or reputation.<\/p>\n<\/li>\n<\/ul>\n

        Examples include social security numbers, health records, financial account information, and other sensitive personally identifiable information (PII).<\/p>\n

        \n

        Data Risk Classification Examples<\/h2>\n

        Use the examples below to help determine the appropriate risk classification for specific types of data or systems. When handling datasets that include multiple types of information, always apply the highest applicable risk classification to ensure appropriate protection.<\/p>\n

        This approach helps safeguard data integrity, supports compliance with legal and institutional requirements, and reinforces Trinity College\u2019s commitment to responsible data management.<\/p>\n

        Low Risk<\/strong><\/h3>\n

        Data intended for public use, where unauthorized access would pose no impact on Trinity College\u2019s operations, compliance, or reputation.<\/p>\n

        Examples include:<\/p>\n

          \n
        • \n

          Trinity IDs or equivalent identifiers (when not linked to sensitive data)<\/p>\n<\/li>\n

        • \n

          Information publicly available on Trinity\u2019s website without authentication<\/p>\n<\/li>\n

        • \n

          Policy or procedure manuals explicitly marked for public distribution<\/p>\n<\/li>\n

        • \n

          Job postings<\/p>\n<\/li>\n

        • \n

          College contact information not marked as private by the individual<\/p>\n<\/li>\n

        • \n

          Content in the public domain<\/p>\n<\/li>\n<\/ul>\n

          Moderate Risk<\/strong><\/h3>\n

          Data not intended for public access, where unauthorized disclosure could cause limited or short-term impact to Trinity\u2019s operations, reputation, or compliance posture.<\/p>\n

          Examples include:<\/p>\n

            \n
          • \n

            Unpublished research data (at the discretion of the data owner)<\/p>\n<\/li>\n

          • \n

            Student academic records and admission applications<\/p>\n<\/li>\n

          • \n

            Faculty\/staff employment applications, personnel files, salary data, benefits information, date of birth, and personal contact details<\/p>\n<\/li>\n

          • \n

            Internal (non-public) policies and administrative documents<\/p>\n<\/li>\n

          • \n

            Non-public contracts and agreements<\/p>\n<\/li>\n

          • \n

            Internal communications, reports, budgets, and planning documents<\/p>\n<\/li>\n

          • \n

            Institutional or employee ID numbers<\/p>\n<\/li>\n

          • \n

            Engineering, design, or operational data related to campus infrastructure<\/p>\n<\/li>\n<\/ul>\n

            High Risk<\/strong><\/h3>\n

            Sensitive or regulated data, where unauthorized access or disclosure could result in significant harm to individuals or Trinity College, or where protection is required by law or regulation.<\/p>\n

            Examples include:<\/p>\n

              \n
            • \n

              Medical or health-related data, including Protected Health Information (PHI)<\/p>\n<\/li>\n

            • \n

              Health insurance policy numbers<\/p>\n<\/li>\n

            • \n

              Social Security numbers<\/p>\n<\/li>\n

            • \n

              Credit card or debit card numbers<\/p>\n<\/li>\n

            • \n

              Bank account numbers and financial routing information<\/p>\n<\/li>\n

            • \n

              Export-controlled research or data<\/p>\n<\/li>\n

            • \n

              Government-issued identification numbers (e.g., driver\u2019s license, passport, visa)<\/p>\n<\/li>\n

            • \n

              Donor contact information and confidential gift-related records<\/p>\n<\/li>\n<\/ul>\n

              \n

              Server Risk Classification Examples<\/h2>\n

              Low Risk<\/strong><\/h3>\n

              Systems that store or process only public information, and where a compromise would have no impact on Trinity College\u2019s operations, compliance obligations, or reputation.<\/p>\n

              Examples include:<\/p>\n

                \n
              • \n

                Research computing servers used exclusively with publicly available or low-risk data<\/p>\n<\/li>\n

              • \n

                File servers hosting publicly released datasets or documents<\/p>\n<\/li>\n<\/ul>\n

                Moderate Risk<\/strong><\/h3>\n

                Systems that store or process Moderate Risk data, where unauthorized access could cause limited or temporary harm to individuals or institutional operations.<\/p>\n

                Examples include:<\/p>\n

                  \n
                • \n

                  Servers managing internal or restricted (non-public) college data<\/p>\n<\/li>\n

                • \n

                  Databases containing confidential but non-regulated documents, such as internal contracts<\/p>\n<\/li>\n

                • \n

                  File servers storing non-public procedures, planning documents, or operational manuals<\/p>\n<\/li>\n

                • \n

                  Application or database servers housing student academic or admissions records<\/p>\n<\/li>\n<\/ul>\n

                  High Risk<\/strong><\/h3>\n

                  Systems that store or provide access to high-risk or regulated data, or are considered critical infrastructure. Compromise could result in significant institutional, legal, financial, or reputational harm.<\/p>\n

                  Examples include:<\/p>\n

                    \n
                  • \n

                    Servers storing or processing High Risk data such as PHI, Social Security numbers, or financial account information<\/p>\n<\/li>\n

                  • \n

                    Authentication servers or systems that control access to high-risk applications or data<\/p>\n<\/li>\n

                  • \n

                    College-wide or departmental email systems handling sensitive communications<\/p>\n<\/li>\n

                  • \n

                    Core infrastructure systems essential to Trinity\u2019s operations (e.g., identity and access management, network backbone, enterprise resource planning)<\/p>\n<\/li>\n<\/ul>\n

                    \n

                    Application Risk Classification Examples<\/h2>\n

                    Low Risk<\/strong><\/h3>\n

                    Applications that process or display public information, where compromise would have no adverse effect on Trinity College\u2019s mission, operations, or reputation.<\/p>\n

                    Examples include:<\/p>\n

                      \n
                    • \n

                      Applications handling only low-risk data<\/p>\n<\/li>\n

                    • \n

                      Online campus maps<\/p>\n<\/li>\n

                    • \n

                      Public academic catalog displaying course descriptions<\/p>\n<\/li>\n

                    • \n

                      Transit or shuttle schedule applications<\/p>\n<\/li>\n<\/ul>\n

                      Moderate Risk<\/strong><\/h3>\n

                      Applications that process non-public but unregulated information, where unauthorized access could cause a limited or temporary impact to individuals or the College.<\/p>\n

                      Examples include:<\/p>\n

                        \n
                      • \n

                        Applications handling Moderate Risk data<\/p>\n<\/li>\n

                      • \n

                        Human Resources applications storing salary, job titles, or contact information<\/p>\n<\/li>\n

                      • \n

                        Internal directory tools with employee phone numbers, email addresses, and positions<\/p>\n<\/li>\n

                      • \n

                        Campus emergency alert systems<\/p>\n<\/li>\n

                      • \n

                        Online application portals for student admissions or enrollment<\/p>\n<\/li>\n<\/ul>\n

                        High Risk<\/strong><\/h3>\n

                        Applications that store or process High Risk or legally regulated data, or where a breach could cause significant harm to individuals or to Trinity College\u2019s operations, finances, or legal standing.<\/p>\n

                        Examples include:<\/p>\n

                          \n
                        • \n

                          Applications handling high-risk data<\/p>\n<\/li>\n

                        • \n

                          Human Resources systems storing Social Security numbers or protected health information<\/p>\n<\/li>\n

                        • \n

                          Applications storing or managing sensitive network infrastructure details<\/p>\n<\/li>\n

                        • \n

                          Systems collecting or storing confidential donor, alumni, or constituent information<\/p>\n<\/li>\n

                        • \n

                          Payment processing systems that handle credit card or banking data<\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

                          Risk Classifications Trinity College is committed to safeguarding the privacy of its students, alumni, faculty, and staff, and to ensuring the confidentiality, integrity, and availability of the information that supports and advances its educational mission. To uphold these commitments, Trinity classifies institutional information and data according to their risk level, enabling the implementation of appropriate […]<\/p>\n","protected":false},"author":336,"featured_media":0,"parent":8451,"menu_order":3,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-9107","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\nRisk Classification - Library & Information Technology Services<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Risk Classification\" \/>\n<meta property=\"og:description\" content=\"Risk Classifications Trinity College is committed to safeguarding the privacy of its students, alumni, faculty, and staff, and to ensuring the confidentiality, integrity, and availability of the information that supports and advances its educational mission. To uphold these commitments, Trinity classifies institutional information and data according to their risk level, enabling the implementation of appropriate […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/\" \/>\n<meta property=\"og:site_name\" content=\"Library & Information Technology Services\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-10T22:05:16+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/\",\"url\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/\",\"name\":\"Risk Classification - Library & Information Technology Services\",\"isPartOf\":{\"@id\":\"https:\/\/www.trincoll.edu\/lits\/#website\"},\"datePublished\":\"2025-06-10T21:46:44+00:00\",\"dateModified\":\"2025-06-10T22:05:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Technology\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Information Security\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Governance Risk and Compliance\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Information Security Policy & Standards\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/\"},{\"@type\":\"ListItem\",\"position\":6,\"name\":\"Data Classification & Collaboration\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/\"},{\"@type\":\"ListItem\",\"position\":7,\"name\":\"Risk Classification\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/#website\",\"url\":\"https:\/\/www.trincoll.edu\/lits\/\",\"name\":\"Library & Information Technology Services\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.trincoll.edu\/lits\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Risk Classification - Library & Information Technology Services","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/","og_locale":"en_US","og_type":"article","og_title":"Risk Classification","og_description":"Risk Classifications Trinity College is committed to safeguarding the privacy of its students, alumni, faculty, and staff, and to ensuring the confidentiality, integrity, and availability of the information that supports and advances its educational mission. To uphold these commitments, Trinity classifies institutional information and data according to their risk level, enabling the implementation of appropriate […]","og_url":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/","og_site_name":"Library & Information Technology Services","article_modified_time":"2025-06-10T22:05:16+00:00","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/","url":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/","name":"Risk Classification - Library & Information Technology Services","isPartOf":{"@id":"https:\/\/www.trincoll.edu\/lits\/#website"},"datePublished":"2025-06-10T21:46:44+00:00","dateModified":"2025-06-10T22:05:16+00:00","breadcrumb":{"@id":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/risk-classification\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.trincoll.edu\/lits\/"},{"@type":"ListItem","position":2,"name":"Technology","item":"https:\/\/www.trincoll.edu\/lits\/technology\/"},{"@type":"ListItem","position":3,"name":"Information Security","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/"},{"@type":"ListItem","position":4,"name":"Governance Risk and Compliance","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/"},{"@type":"ListItem","position":5,"name":"Information Security Policy & Standards","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/"},{"@type":"ListItem","position":6,"name":"Data Classification & Collaboration","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/data-classification-collaboration\/"},{"@type":"ListItem","position":7,"name":"Risk Classification"}]},{"@type":"WebSite","@id":"https:\/\/www.trincoll.edu\/lits\/#website","url":"https:\/\/www.trincoll.edu\/lits\/","name":"Library & Information Technology Services","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.trincoll.edu\/lits\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/9107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/users\/336"}],"replies":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/comments?post=9107"}],"version-history":[{"count":0,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/9107\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/8451"}],"wp:attachment":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/media?parent=9107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}