This tool is designed to be used to determine the sensitivity of your data. Please check all applicable data types to see the classification of your combined data set.

Page 1 of 1

Cannot select choice! The maximum number of choices has been selected.Value removed!
Loading... [View Image] Loading...
The VCU Data Classification Tool allows you to determine the sensitivity classification of any combination of data types selected from the following list . To use this tool, simply check the desired data type(s).

Following the completion of your selection(s), basic protection requirements for the specified data types will be provided to you. Please be advised that the basic requirements are the bare minimum that apply to each category of data. In order to understand the actual requirements applicable to your data, please review the Information Security Policies and Standards, consult with your local IT support or consult with the VCU Information Security Office (infosec@vcu.edu).

This tool applies to data generated, collected, processed, stored, transmitted or otherwise handled by the University for its academic, research, community engagement, and administrative functions, and any third party data used by University personnel for university related business.
This combination of data types will be classified as Category I data


Category I data is data with the highest sensitivity, and must be protected with the utmost diligence. In addition to or in place of requirements for Category II data, the following basic requirements apply to Category I data. (Please consult with your departmental IT support for full requirements that may apply to your data)

1. Electronic data transmitted must be encrypted during transmission.

2. Unless stored in the University's Central Computer Center facilities (UCC, CHiPC), data must be encrypted when stored.

3. Unique user identification is required for access, no group or generic accounts can be used to access this data.

4. Data cannot be accessible directly to the public (e.g. No direct access from Internet, no direct access from public locations on campus).

5. Two factor authentication for off-campus access to the data is required, and two factor authentication for on-campus access to the data is strongly recommended and may be required in certain cases.

6. Periodic vulnerability assessment of systems and / or processes used to handle the data is required.

7. Third party and external service providers used to handle or store data must be periodically reviewed by the VCU Information Security Office for their security and privacy practices

Please consult with your school or departmental IT support, the VCU Information Security Office (infosec@vcu.edu), and other applicable units (Office of Research, Registrar's office, University Counsel, etc) for more information on the protection of this data.



Category III data is public data that has absolutely no security or privacy impact if lost or stolen. Examples of this data include marketing information for a school or general description of an academic program on a brochure or website.

Basic Category III Data Handling Requirements (Please consult with your IT support team for full requirements that apply to your data):


1. Password protection for the data is discretionary but recommended if applicable.

2. Data can be stored on VCU IT systems or third party IT systems freely.

3. Data can be made public without prior approval.

4. Systems used to handle the data must be registered in the VCU server inventory, and applications / services used to handle the data must be registered in the VCU application inventory.

Please consult with your departmental or school level IT support for more information on the protection requirements of this data.
UNLESS OTHERWISE SPECIFIED ABOVE, this combination of data types will be classified as Category II data


Category II data is data with medium sensitivity. Examples of Category II data includes basic personal information such as names and address and internal memos or business process documentation

In addition to or in place of Category III Data Handling Requirements, the following items are basic requirements for the protection of Category II data. (Please consult with your departmental IT support for full requirements that apply to your data)


1. Electronic data must be password protected at all times, password used to protect the data must meet the VCU Password, Authentication and Access Standard.

2. Data should be stored on VCU IT systems whenever possible, the IT system should be protected by antivirus system, and be centrally managed or supported by University central or departmental IT staff.

3. Documented authorization is needed before an individual is given access to the data, and the use of group or generic accounts to access the data is discouraged.

4. Internal systems used to handle the data must undergo a system security assessment prior to provisioning or major modification.

5. Third party and external services used to handle data should be reviewed by the VCU Information Security Office for security and privacy practices.

6. Systems used to handle the data must be registered in the VCU server inventory, and applications / services used to handle the data must be registered in the VCU application inventory.

Please consult with your departmental or school level IT support for more information on the protection requirements of this data.
The classification of the data combination you selected is listed above. Please DO NOT CLICK on submit.
You have selected an option that triggers this survey to end right now.
To save your responses and end the survey, click the 'End Survey' button below. If you have selected the wrong option by accident and/or wish to return to the survey, click the 'Return and Edit Response' button.