Information Security Office Risk Assessment

Information Security Office Risk Assessment (ISORA) is a university wide risk assessment of Information Security to comply with State regulations. This process will help The Cockrell School of Engineering identify the security of systems with sensitive data. As a “steward” of university data, you will be asked to classify data on your computer according to the UT Data Classification Standard. IT Staff will then answer additional questions about the security of these systems.

University Data vs. Personal Data

ISORA answers should be based on university data. According to the Data Classification Standard:

Data that is personal to the operator of a system and stored on a university IT resource as a result of incidental personal use is not considered university data.

For example, your personal W-2 downloaded to your computer is personal data and would not be part of your data classification.

Confidential (Category 1) Data

According to the Data Classification Standard, Confidentail data is:

University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA . . .)

Confidential data also includes:

data…which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations

A few examples from the Extended list of Category 1 data include:

  • Employee Information (e.g. Social Security Number)
  • Student data (e.g. grades, test scores, assignments)
  • Donor/Alumni Information (e.g. name, email, amount donated)

Controlled (Category 2) Data

According to the Standard, Category 2 data is:

University data that is not Confidential (Category 1), "but which are releasable in accordance with the Texas Public Information Act"

An example is an employee's email.

Most systems used by faculty and staff will be Confidential or Controlled.

Published (Category 3) Data

According to the Standard, Category 3 data is:

University data that is not Confidential or Controlled (Category 1 or 2), "such data have no requirement for confidentiality, integrity, or availability."

This is public data that can be released without an open records request. For example, a professor's blog

Information Security Office

The Information Security Office (ISO) provides additional information regarding security policies, practices and standards.

ITG Service Desk


ECJ 1.226

301 Dean Keeton

Austin, Texas 78712

Hours: Mon-Fri 8 a.m.-noon; 1-5 p.m.