UAB Restricted and Sensitive Data

Per UAB’s Data Classification Rule, university-owned data is classified as belonging to one of three tiers, Public, Sensitive or Restricted/PHI (Restricted) Data. Based on the classification definitions and the desire to properly identify and gauge the level of risk tied to Sensitive and Restricted data owned by UAB, the following data classification and exposure taxonomies have been created. Restricted and Sensitive data have respectively been assigned risk levels of High and Moderate. The Exposure Taxonomy details the level of risk via potential exposure based on whether the data is available externally, internally, or both. The greater the exposure, the greater the risk.


1.0 Data Classification Taxonomy

Data ClassificationAssigned Risk Level
Restricted High
Sensitive Moderate
Public Low

2.0 Risk Exposure Taxonomy

Exposure FactorAssigned Risk Level
External and Internal High
External only Moderate
Internal only Low

3.0 Risk Assignment Matrix

When combined, the various levels of each taxonomy work together to form a Risk Assignment Matrix. Reading left to right, the Assigned Risk Level for the Data Classification and Exposure Factor are compared. The high-watermark level of risk tied to each specific pairing is given precedence and is assigned as the definitive Overall Risk Level for each data classification/exposure factor combination.

Data ClassificationAssigned Risk LevelExposure FactorAssigned Risk LevelOverall Risk Level
Restricted High External and Internal High High
Restricted High External only Moderate High
Restricted High Internal Only Low High
Sensitive Moderate External and Internal High High
Sensitive Moderate External Only Moderate Moderate
Sensitive Moderate Internal Only Low Moderate
Public Low External and Internal High Low
Public Low External Only Moderate Low
Public Low Internal Only Low Low