The identification of information processed on a system is essential to the proper selection of security controls and ensuring the confidentiality, integrity, and availability of the system and its data.

Knowing the classification provides you with the guidance for storing, processing, transferring, and sharing of the data.


Health Insurance Portability and Accountability Act – legislation that includes requirements for the privacy and security of identifiable patient health information. Privacy covers all records whether paper or electronic and the Security focuses on electronic information.

Applicable – All departments the produce, use, store or transmit patient health records.

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and service providers must validate compliance with an audit by a PCI DSS Qualified Security Assessor (QSA) Company.

Applicable – Departments that process credit cards for payment of services.

Family Educational Rights and Privacy Act protects the privacy of student education records.

Chemical Facility Anti-Terrorism Standards
The Department of Homeland Security has issued Chemical Facility Anti-Terrorism Standards for any facility that manufactures, uses, stores, or distributes certain chemicals above a specified quantity.

Applicable – Environmental Health & Safety and other information sources that track DHS identified Chemicals.

Federal Information Security Management Act – requirements for security controls to be in place when federally regulated information is stored.

Applicable – Departments that produce, use, store or transmit information to the Veterans Affairs patient database.

FDA Part 11
Requirements for controls to non-repudiation of electronic signatures for records that are intended for the Food and Drug Administration.

Applicable – Departments that take part in drug trials will need to comply.

Nuclear Regulatory Commission.  Regulations to protect information related to U.S. government programs for the physical protection and safeguarding of nuclear materials or facilities.

Missouri PII
Missouri Personally Identifiable Information





HR Records

Legal Documents

Intellectual Property

Financial Data






Released by Public Affairs