Risk Classifications | University IT
Risk Classifications
Stanford is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity, and availability of information important to the university's mission.
Risk Classifications
Data Risk Classifications Examples
Server Examples
Application Examples
Approved Services
Approved Environments
Introducing a Streamlined Process for M365 Add-in and Plugin Requests
May 21, 2025
Learn more about Introducing a Streamlined Process for M365 Add-in and Plugin Requests
Stanford classifies information assets into three risk-based categories,
Low Risk, Moderate Risk, and High Risk
, to determine access permissions and required security controls.
Key Principles:
Data must support Stanford's academic mission, regulatory obligations, and risk management objectives.
Data may only be collected, used, retained, and shared for legitimate academic, operational, research, or regulatory purposes.
Access is restricted to authorized individuals based on business,research, or academic need, following least privilege principles.
Special note to Stanford researchers:
Except for regulated data such as Protected Health Information (PHI), Social Security Numbers (SSNs), and financial account numbers, research data and systems predominately fall into the Low Risk classification. Review the classification definitions and examples below to determine the appropriate risk level to apply. See
Research Policy Handbook Section 1.10
for information security practices and guidelines specific to research computing systems.
In addition to understanding risk classifications, for Moderate and High Risk Data, be sure to take
all
necessary steps to
protect sensitive data at Stanford
Low Risk
Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:
The data is intended for public disclosure, or
The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.
Moderate Risk
Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:
The data is not generally available to the public, or
The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.
High Risk
Data and systems are classified as High Risk if:
Protection of the data is required by law/regulation,
Stanford is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Data Risk Classification Examples
Use the examples below to determine which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.
View Minimum Security Standards: Endpoints
Low Risk
Research data (at data owner's discretion)
SUNet IDs
Information authorized to be available on or through Stanford's website without SUNet ID authentication
Policy and procedure manuals designated by the owner as public
Job postings
University contact information not designated by the individual as "private" in StanfordYou
Information in the public domain
Publicly available campus maps
Moderate Risk
Unpublished research data (at data owner's discretion)
Student records and admission applications
Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
Non-public Stanford policies and policy manuals
Non-public contracts
Stanford internal memos and email, non-public reports, budgets, plans, financial info
University and employee ID numbers
Project/Task/Award (PTA) numbers
Engineering, design, and operational information regarding Stanford infrastructure
High Risk
Health Information, including Protected Health Information (PHI)
Health Insurance policy ID numbers
Social Security Numbers
Credit card numbers
Financial account numbers
Export controlled information
Driver's license numbers
Passport and visa numbers
Donor contact information and non-public gift information
Server Risk Classification Examples
A server is defined as a host that provides a network accessible service.
View Minimum Security Standards: Servers
Low Risk
Servers used for research computing purposes without involving Moderate or High Risk Data
File server used to store published public data
Database server containing SUNet IDs only
Moderate Risk
Servers handling Moderate Risk Data
Database of non-public University contracts
File server containing non-public procedures/documentation
Server storing student records
High Risk
Servers handling High Risk Data
Servers managing access to High Risk systems
University IT and departmental email systems
Core campus infrastructure
Application Risk Classification Examples
An application is defined as software running on a server that is network accessible.
View Minimum Security Standards: Applications
Low Risk
Applications handling Low Risk Data
Online maps
University online catalog displaying academic course descriptions
Bus schedules
Moderate Risk
Applications handling Moderate Risk Data
Human Resources application that stores salary information
Directory containing phone numbers, email addresses, and titles
University application that distributes information in the event of a campus emergency
Online application for student admissions
High Risk
Applications handling High Risk Data
Human Resources application that stores employee SSNs
Application that stores campus network node information
Application collecting personal information of donor, alumnus, or other individual
Application that processes credit card payments
Approved Services
This table indicates which classifications of data are allowed on a selection of commonly used Stanford University IT services.
For information on the GenAI tools that have been evaluated or are currently undergoing evaluation, refer to the
GenAI Tool Evaluation Matrix
Due to security, privacy, and compliance concerns, applications that have not been evaluated by the university and require access to Stanford email, such as Superhuman, are not permitted. More details will be provided soon.
High Risk Non-PHI Data
Payment Card Industry (PCI) data has special regulatory requirements that preclude using the services below. Contact the
PCI team
for assistance with handling this type of data.
High Risk PHI Data
Protected Health Information (PHI) data has special regulatory requirements that govern using the services below. Contact the
DRA team
for assistance handling this type of data.
Stanford Service
Low Risk
Moderate Risk
High Risk: Non‑PHI
High Risk: PHI
Audio and Video Conferencing:
Zoom and WebEx
Microsoft Teams
IMPORTANT:
Teams is only approved for PHI data with
Cardinal Key
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Backups:
Backup and Recovery Service for Servers (BaRS)
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Backups:
CrashPlanPROe
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Calendar:
Office 365
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Cardinal Fax
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Cardinal Print
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Cloud Infrastructure:
Amazon Web Services
, Microsoft Azure,
Google Cloud Platform
IMPORTANT:
Only approved for High-Risk & PHI data with the provision set up by UIT, and configured and managed by a Stanford professional services team. (e.g.
Stanford Research Computing
or
TCG)
Only HIPAA-approved services allowed for PHI-containing cloud accounts. See
GCP
and
AWS
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Content Management:
Stanford Domains
Approved for low risk data
Not approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Content Management:
Drupal (Stanford Sites)
WordPress
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Content Management:
OpenText
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Not approved for high risk data
Database Hosting:
MySQL
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Document Management:
Office 365 OneDrive
SharePoint
OneNote
IMPORTANT:
Only approved for PHI data with
Cardinal Key
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Document Management:
Medicine Box
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Document Management:
Google Drive
(including
Shared Drives
, Docs, Sheets, Slides, and Forms)
IMPORTANT:
Only approved for PHI data with
Cardinal Key with Google Drive
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Document Management:
Google G Suite: All others (Photos, Jamboard, Sites, etc...)
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Electronic Data Capture (EDC):
REDCap
, Forte, REDCap Cloud
Note:
Compliant with Title 21 CFR Part 11.
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Electronic Signature:
AdobeSign
IMPORTANT:
Only approved for PHI data with the system configuration set up by
UIT
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Electronic Signature: DocuSign
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Email:
Google Mail, Office365
(with “Secure:” in subject line)
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Email:
Google Mail
Office365
(without “Secure:” in subject line)
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Email: Other Departmental Systems
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Encryption:
MDM Compliant Device
Stanford Device Registration Compliant Device
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Encryption:
VLRE Compliant Device
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
File Storage:
AFS
CIFS
NFS
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
File Storage:
Secure AFS
Secure File Storage
Wasabi Cloud Storage
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
File Transfer:
Globus
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Cardinal Voice Softphone
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Slack Messaging:
Public Channels
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Slack Messaging:
Direct Messages and invite-only (private) channels
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Not approved for PHI data
Issue Tracking:
JIRA
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Not approved for PHI data
Network Access Control:
SUNAC
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Project Management:
M365 Planner
IMPORTANT:
Only approved for PHI data with
Cardinal Key
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
ServiceNow
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Smartsheet: Collaboration and Project Management
Statement from Stanford CISO October 2025
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Stanford Profiles: CAP
Approved for low risk data
Not approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Survey Tool:
Qualtrics - University, SoM, and GSB instances
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Survey Tool:
Qualtrics - All other instances
M365 Forms
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Task Tracking:
M365 To-Do
Approved for low risk data
Approved for moderate risk data
Voice Messaging
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
VPN
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Web Programming:
CGI
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Wiki:
Confluence
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
View M365 add-ins and plugins guide
Approved Environments
This table shows which Stanford environments are appropriate for managing the specified data classifications.
National Institute of Standards and Technology (NIST) 800-171
Meets NIST requirements for controlled unclassified information in nonfederal systems and organizations
National Institutes of Health (NIH) Security Best Practices for Users of Controlled-Access Data
Meets NIH Security Best Practices for Users of Controlled-Access Data for use with NIH controlled-access datasets (e.g., dbGaP) only
Federal Acquisition Regulation (FAR) 52.204-21
Meets security requirements for federal contractors
Cybersecurity Maturity Model Certification (CMMC)
Meets CMMC requirements for Federal Contract Information (FCI)
Stanford Environments
Regulatory Compliance
Stanford Risk Classification
NIST 800-171 Compliant
NIH
FAR 52.204-21 Compliant
CMMC Lvl 1 Compliant
Low Risk
Moderate Risk
High Risk
High Risk: PHI
Cardinal AWS GovCloud
IMPORTANT:
Still need to have a Stanford AWS account in order to get GovCloud started
NIST 800-171 Compliant
Approved for NIH
FAR compliant
In Progress
CMMC Lvl 1 Compliant
In Progress
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Carina
IMPORTANT:
A DRA review is required to introduce new research datasets.
NIST 800-171 Compliant
In Progress
Approved for NIH
FAR Compliant
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
FarmShare
Not NIST 800-171 Compliant
Not approved for NIH
Not FAR compliant
Not CMMC Lvl 1 Compliant
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Marlowe
Not NIST 800-171 Compliant
Not approved for NIH
Not FAR compliant
Not CMMC Lvl 1 Compliant
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Nero
IMPORTANT:
A DRA review is required to introduce new research datasets.
NIST 800-171 Compliant
In Progress
Approved for NIH
FAR compliant
In Progress
CMMC Lvl 1 Compliant
In Progress
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
Oak
Not NIST 800-171 Compliant
Approved for NIH
Not FAR compliant
Not CMMC Lvl 1 Compliant
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Redivis
IMPORTANT:
A DRA review is required to introduce new research datasets.
NIST 800-171 Compliant
Approved for NIH
FAR Compliant
CMMC Lvl 1 Compliant
Approved for low risk data
Approved for moderate risk data
Approved for general high risk data
Approved for PHI data
SCG
In Progress
Not NIST 800-171 Compliant
Approved for NIH
FAR compliant
In Progress
CMMC Lvl 1 Compliant
In Progress
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Sherlock
Not NIST 800-171 Compliant
Not approved for NIH
Not FAR compliant
Not CMMC Lvl 1 Compliant
Approved for low risk data
Approved for moderate risk data
Not approved for general high risk data
Not approved for PHI data
Stanford Home
Maps & Directions
Search Stanford
Emergency Info
Trademarks
Non-Discrimination
Stanford University
Stanford
California
94305
US