Risk Classifications

Rice has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.

Rice has 3 types of Risk Classifications. Except for regulated data such as protected health information (PHI), Social Security Numbers, and financial account numbers, research data and systems predominately fall into the Low Risk classification. Review the classification definitions and examples below to determine the appropriate risk level to apply.

General Data (Low Risk)

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  • The data is intended for public disclosure, or
  • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Sensitive Data (Moderate Risk)

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

  • The data is not generally available to the public, or
  • The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

Confidential and Regulated Data (High Risk)

Data and systems are classified as High Risk if:

  • Protection of the data is required by law/regulation,
  • Rice is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
  • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Uncertain about your classification?

Try visiting these pages for specific examples.