Risk Classification Examples of Common IT Resources

Revised: 23 Oct 2015 by ITSC

The risks associated with the use of an IT resource can be mapped to one of three different risk categories, namely high-risk, moderate-risk and low-risk, depending on the outcome of risk assessment. Risk assessment should be considered according to the purposes of use and good assessment often requires sound understanding of prominent business or operational concerns.

To assist IT resource users and owners to arrive at appropriate risk assessment for their particular use cases, this document shows some risk classification examples using common types of IT resources.

Since risk assessment is closely related to purposes of use, it is anticipated that the reference classification may not be adequate in certain cases. All members of the University are strongly encouraged to assess any associated risks before using any IT resource, and always apply the stronger protection measure if in doubt.

Risk Category: High-risk

High-risk items are those which protection are required by law (e.g. Personal Data Privacy Ordinance) or that, if compromised, can lead to significant impact on University’s business, safety or finances. Common IT resources belonging to the high-risk category include but are not limited to the following:

Data Level

  • Restricted data according to HKUST Data Classification Guidelines that is kept in electronic form
  • Staff personal records
  • Student personal records
  • Alumni personal records
  • Donor personal records
  • Financial data
  • Non-disclosure agreements or contracts

Application System Level

  • Application systems handling high-risk data
  • Central administrative information systems
  • Central email system

End-Point Level

  • Desktop or notebook computers used to store high-risk data

Server Level

  • Servers supporting high-risk applications
  • Servers supporting IT infrastructure

Network Level

  • Central backbone network housing high-risk servers

Risk Category: Moderate-risk

Moderate-risk items are those that, if compromised, can lead to noticeable impact on University’s business, safety or finances. Common IT resources belonging to the moderate-risk category include but are not limited to the following:

Data Level

  • Non-published research data
  • Non-public meeting notes
  • Usage and access logs
  • Non-sensitive data with person identifiable information

Application System Level

  • Application software handling moderate-risk data
  • Learning management systems
  • Official web sites

End-Point Level

  • Desktop or notebook computers used for office work
  • Desktop computers in Computer Barns

Server Level

  • Servers supporting moderate-risk applications

Network Level

  • Network housing moderate-risk servers and end-points
  • Office network
  • Network for teaching venues
  • Network for research labs
  • Staff residential network

Risk Category: Low-risk

Low-risk items are those that are not classified as high-risk or moderate-risk. It should be noted that even items classified as low-risk should also meet Minimum Security Standard where applicable.

Related Links