Risk Classifications

Information at MIT falls into one of three risk levels: Low, Medium, or High. Level classifications are based on who should have access to the information and how much harm would be done if it were disclosed, modified, or unavailable. Considering the research data or administrative information you handle at MIT, review the risk level definitions below to determine which level your data should be assigned. Once the risk level is determined, use the tasks for that level to secure the information under your control.

The Risk Levels

  • Information that the Institute has chosen not to disclose, but which would not result in material harm.
  • Public information
  • Information not intended to be freely available to the general public, or to the MIT community, without access controls.
  • The loss of confidentiality, integrity, or availability of these information assets could reasonably be expected to result in legal liability, reputational damage, or potential for other types of harm.
  • This information is subject to legal or regulatory requirements necessitating its proper safeguarding and handling, including possible notification in the event of a breach.
  • The loss of confidentiality, integrity, or availability of these information assets could reasonably be expected to result in serious harm to individuals or the Institute.

Risk Level Examples

While these examples are meant to assist in the classification process, the unique context of a particular dataset or use case may impact the overall classification category. If in doubt as to the appropriate classification category for a particular set of information, data owners should contact IS&T’s Information Security Office for assistance.

For human subject research, COUHES (Committee on the Use of Humans as Experimental Subjects) makes the ultimate decision on the level of risk. When paired with a unique personal identifier, research or human subject information should be classified at one level higher than listed in the examples above.

Classification Examples for Low Risk Information

  • Patent applications
  • Directory information for faculty, staff, or students
    • Excluding information for which a Family Educational Rights and Privacy Act (FERPA) block has been requested.
  • Published research papers
  • Course catalogs
  • Job postings
  • Campus maps
  • Public information

Classification Examples for Medium Risk Information

  • MIT IDs with associated identifying information
  • Faculty and staff employment applications, personnel files, benefits, salary, birth date, personal contact information
  • Institute financial account numbers and budgets
  • Donor contact information and non-public gift information
  • Non-public contracts
  • Unpublished research papers
  • Building floor plans

Classification Examples for High Risk Information

  • Personal information as defined by Massachusetts 201 CMR §17, a name associated with a social security number (SSN), driver's license or state issued ID number, or financial account number
  • MIT credentials with access to Medium or High Risk information
  • Some student information classified under FERPA, such as student transcripts
  • Health information covered under HIPAA/HITECH
  • Credit card information covered by PCI-DSS rules
  • Court or national security orders that prohibit disclosure (e.g., subpoenas, National Security Letters)
  • Information covered under ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations)
    • Immediately contact the Institute’s Export Control Office (exportcontrolhelp@mit.edu) if suspected ITAR or EAR information is discovered stored outside of an approved Technology Control Plan (TCP).

Classification Examples for Low Risk Servers

  • Servers handling Low Risk Information

Classification Examples for Medium Risk Servers

  • Servers handling Medium Risk Information
  • Databases of non-public contract
  • File servers containing non-public procedures/documentation
  • Servers storing student medical, financial, or class attendance records

Classification Examples for High Risk Servers

  • Servers handling High Risk Information
  • Servers managing access to other systems
  • Institute IT and departmental email systems
  • Active Directory
  • DNS

Classification Examples for Low Risk Applications

  • Applications handling Low Risk Information

Classification Examples for Medium Risk Applications

  • Applications handling Medium Risk Information
  • Databases storing donor contact information
  • MITAlert system
  • Online application for student admissions

Classification Examples for High Risk Applications

  • Applications handling High Risk Information
  • Human Resources application that stores employee social security numbers (SSNs)
  • Applications that store campus network node information
  • Applications collecting personal information of donor, alumnus, or other individuals
  • Applications that processes credit card payment