Under the campus information security risk management program, risks to information systems are periodically assessed. Assessment is based (in part) on the classification of the data stored on the system, the methods used to access the information and the population who accesses the information. As a result of the assessment, mitigation strategies such as limitations on network access, access record reviews, changes in content and authorization.
As part of the information security risk management program, organizations on campus are prohibited from implementing systems which store or process protected level 1 information (i.e. payment card data, social security numbers, etc) without authorization.