Categorizing and Securing Institutional Data Below is a matrix to categorize university data by the level of risk to ensure that its confidentiality, integrity and appropriate availability are not compromised in the running of university business. Northeastern University is using this matrix as a part of the Data Classification Pilot Project to ensure its feasibility to selected central university offices, confirm its scalability to the university‐wide community in the future, and to recommend appropriate adjustments before a university‐wide launch. This matrix should be used on an educational basis only at this time. Upon successful completion of the Pilot stage of this project, review of the project outcomes, and approval of next project steps by the Data Administration, Policy, and Security (DAPSec) committee and ITEC, a final revised version of this matrix will be posted, and will become a part of the “Policy on Confidentiality of University Records and Information”. DATA TYPE DEFINITION RISK LEVEL DEFINITION RISK LEVEL Data that the university must keep Unauthorized public disclosure, High Risk Level private under federal, state, local or international laws and regulations, industry standards, and/or confidentiality agreements. Data that is not for public consumption. Its handling is based on university‐wide policy and/or internal procedures, and takes into account proprietary, ethical, business practice or privacy implications. Data that the university could publish by laws and regulations but has chosen to keep confidential. Its handling is based on university or department/unit protocols or procedures. Data that may, or must, be available and accessible to the general public with no expectation for privacy, risk or confidentiality. There are no legal and institutional limitations on its access or use. alteration, or loss of this data would result in criminal or civil penalties, identity theft, financial loss, invasion of privacy and will have serious adverse effects on the University’s reputation, resources, services or individuals. Unauthorized public disclosure, Medium Risk Level alteration, or loss of this data would adversely affect the University’s missions, reputation, services, safety, finances, resources or individuals. Unauthorized public disclosure or Low Risk Level loss of this data would not cause material harm and is unlikely to, but could, pose risk to the University’s mission, reputation, services, resources and individuals. Public disclosure or loss of this data No Risk Level poses no risk to the University’s mission, reputation, services, safety, finances, resources and individuals.