All IT investment proposals are subject to security reviews. These reviews are especially critical for enterprise-level technologies or other technology that impacts a large number of students, faculty and/or staff.
The VCU Data Classification Standard policy provides the classification of all data generated, processed, stored, transmitted, or used by all VCU faculty, staff, contractors, and third party business partners on behalf of VCU. VCU data classification levels include Category I (Confidential and Regulated), Category II (Sensitive), and Category III (Public) information.
The VCU Data Classification Tool may be used to determine the data classification category for IT projects and provide expectations of what to expect upon security reviews.
Information protected under federal, state or industry regulations and / or other civil statutes, where if lost may require breach notification and cause potential regulatory sanctions, fines and damages to the institution’s mission and reputation (Confidential and Regulated data).
All proprietary information that if improperly released has the potential to cause harm to the institution, its mission or its reputation, but do not require breach notifications, and security or privacy of such data is not regulated or required by law or contract. Such data includes proprietary and properly de-identified research information, business related email or other communication records, financial information, employee performance records, operational documentations, contractual information, intellectual property, internal memorandums, salary information, and all other information releasable in accordance with the Virginia Freedom of Information Act (Code of Virginia 2.2-3700). (Sensitive data)
All non-proprietary data that is considered publicly available for unrestricted use and disclosure, where if lost or illegitimately modified, these data will generate no negative impacts to individual departments, schools, colleges, or the institution as a whole. Such information is available to all members of the university community and to all individuals and entities external to the University community. Such data can make up public website information, public press release, public marketing information, directory information, and public research information. (Public Data/Information)
All requests that handle Category I data must have the vendor complete the Higher Education Cloud Vendor Assessment Tool form. This must be submitted with investment requests.