Provost IT categorizes the information it stores on behalf of users and departments into three categories: low risk, medium risk, and high risk. Each system or application we maintain is authorized to store data at one of these three classifications, and at any level below it. Additionally, all types of information stored on our systems can be classified into one of the three categories depending on a number of factors listed below.

Knowing what risk classification your data falls into, as well as what systems are available for you to store your data, is vitally important to securing the information of USC’s students, staff, faculty, guests, and other affiliated individuals and groups.

Data Risk Classification Definitions & Examples

  • Low Risk

    Information is classified as low-risk if it is publicly available and intended for public access. Information in this category would have no effect to the university's operations if either its confidentiality, integrity or availability are compromised.

    Low Risk Examples

    Low-risk data includes, but is not limited to, the following:

    • Academic calendars
    • Course catalogs
    • USC directory information that is publicly available or intended for a public audience
    • Information publicly available from USC web sites
    • Published research data and papers, or data and papers intended for a public audience
    • Data considered "public" by USC's Information Security Policy

  • Medium Risk

    Information is classified as medium-risk if it is not publicly available or if the breach of its confidentiality, integrity or availability would have a small-to-moderate effect on any university operations.

    Medium Risk Examples

    Medium-risk data includes, but is not limited to, the following:

    • Student records of any type, including advisement records
    • Employment contracts and certain personnel records
    • University financial and budget records
    • Facilities and physical plant information
    • Unpublished research data or papers
    • Data considered "sensitive" by USC's Information Security Policy

  • High Risk

    Information is classified as high-risk if it is not publicly available, if it is legally protected or privileged, or if the breach of its confidentiality, integrity or availability would have a more than moderate effect on any university operations.

    High Risk Examples

    Medium-risk data includes, but is not limited to, the following:

    • Social security numbers
    • Passport and visa records, copies and numbers
    • Drivers license numbers and copies
    • Personal health information (PHI), including health insurance and medical data
    • Credit card numbers and personal financial information
    • Data considered "restricted" by USC's Information Security Policy


Nothing in these classifications is intended to override or redefine the information already listed in USC’s official Information Security Policy.
Should there be a discrepancy or misunderstanding between these guidelines and those defined in the Information Security Policy, the items in the Information Security Policy shall supersede.