The identification of information processed on a system is essential to the proper selection of security controls and ensuring the confidentiality, integrity, and availability of the system and its data.

Knowing the classification provides you with guidance for storing, processing, transferring, and sharing of the data.

For information about secure storage, communication, and collaboration services please visit our Secure Storage and Communication Services page

Controlled Unclassified Information (CUI)

Research or project information that has been classified as Controlled Unclassified Information (CUI). 

The Federal government requires the protection and safeguarding or dissemination controls applied.  A WashU System Security Plan will be required to document the security controls implemented along with an attestation report signed by the CISO or their designee.

Electronic Code of Federal Regulations – 32 CFR Part 2002was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.”  (CUI)  Information Security Oversight Office (ISOO)


Health Insurance Portability and Accountability Act – legislation that includes requirements for the privacy and security of identifiable patient health information. Privacy covers all records whether paper or electronic and the Security focuses on electronic information.

Applicable – All departments that produce, use, store or transmit patient health records.

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and service providers must validate compliance with an audit by a PCI DSS Qualified Security Assessor (QSA) Company.

Applicable – Departments that process credit cards for payment of services.

Family Educational Rights and Privacy Act protects the privacy of student education records.

Chemical Facility Anti-Terrorism Standards
The Department of Homeland Security has issued Chemical Facility Anti-Terrorism Standards for any facility that manufactures, uses, stores, or distributes certain chemicals above a specified quantity.

Applicable – Environmental Health & Safety and other information sources that track DHS identified Chemicals.

Federal Information Security Management Act – requirements for security controls to be in place when federally regulated information is stored.

Applicable – Departments that produce, use, store or transmit information to the Veterans Affairs patient database.

FDA Part 11
Requirements for controls to non-repudiation of electronic signatures for records that are intended for the Food and Drug Administration.

Applicable – Departments that take part in drug trials will need to comply.

Nuclear Regulatory Commission.  Regulations to protect information related to U.S. government programs for the physical protection and safeguarding of nuclear materials or facilities.

Missouri PII
Missouri Personally Identifiable Information

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.


HR Records

Legal Documents

Intellectual Property

Financial Data



Released by Public Affairs