Information Security Definitions

Data Classifications

Sensitive data - Sensitive data is defined as data that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. 

Some examples are: 

  • Social Security Number
  • Income tax records
  • Date of birth
  • Financial Information
  • Place of birth
  • Drivers license numbers
  • Mother's maiden name
  • Credit card numbers
  • Bank account numbers
  • Personal address

Sensitive data also includes any information that is protected by University policy from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, financial donor information, information concerning select agents, system access passwords, information security records, and information file encryption keys.

Public Data - Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Confidential Data - The term confidential data applies broadly to information for which unauthorized access or disclosure could result in an adverse effect. For example any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Types of Data

PII - The term personally identifiable information refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

For the purpose of determining which PII may be electronically transmitted, the following types of PII are considered sensitive when they are associated with an individual. Secure methods must be employed in transmitting this data when associated with an individual:

  • Place of birth
  • Date of birth
  • Mother’s maiden name
  • Biometric information
  • Medical information, except brief references to absences from work
  • Personal financial information
  • Credit card or purchase card account numbers
  • Passport numbers
  • Potentially sensitive employment information, e.g., personnel ratings, disciplinary actions, and result of background investigations
  • Criminal history
  • Any information that may stigmatize or adversely affect an individual.

This list is not exhaustive, and other data may be sensitive depending on specific circumstances.

Social Security Numbers (SSNs), including truncated SSNs that include only the last four digits, are sensitive regardless of whether they are associated with an individual. If it is determined that such transmission is required, then secure methods must be employed.

FERPA - The Family Educational Rights and Privacy Act of 1974 (FERPA) protects the privacy of student education records and allows the student to determine what information should be confidential, and who should have access to that information. The Registrar serves as the FERPA coordinator for UGA.

UGA Policy Statement

HIPAA - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides protection for health care information and access, and has two major parts. It protects health insurance coverage for workers when they change or lose jobs. It also protects health care information from fraud and abuse by requiring privacy and security of medical records. Regarding HIPAA, VSU adheres to the policies and procedures created by the USG Office of Legal Affairs.

HITECH - The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.  Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

FISMA -The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The National Institute of Standards and Technology ( NIST ) outlines nine steps toward compliance with FISMA:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.