Updated IT risk classification standard provides clear guidance for protecting confidentiality, integrity, and availability of university data

Chart displaying Virginia Tech’s Risk Classification Labels: High-Risk (red) for sensitive data such as SSNs, PHI, export-controlled data, and data that could cause major impact if disclosed; Moderate-Risk (yellow) for data not public but with mild to moderate impact if compromised; and Low-Risk (green) for publicly intended data with no adverse impact if disclosed.

A clear understanding of what level of risk a certain type of data or system presents is essential not only to put in place measures that adequately protect that data, but also to manage data in the most efficient and cost effective way. To ensure departments have the information they need to effectively manage risk, the IT Security Office published an updated IT Risk Classification Standard, version 6.0 in June 2025.

This standard supports university Policy 7010 - Policy for Securing Technology Resources and Services and establishes the university’s data and IT classification scheme for the purpose of determining appropriate controls, safeguards and/or countermeasures that should be in place for university data and IT assets in order to uphold confidentiality, integrity, and availability of data.

The updated standard clearly outlines the level of risk presented by the various types of data, endpoints, servers, and applications in use across the university, allowing IT professionals and departments to easily identify moderate and high risk assets and apply the appropriate protection to maximize security.

Updated IT risk classification standard provides clear guidance for protecting confidentiality, integrity, and availability of university data

Related Content