Search Google Appliance

Information Technology

Information Management and Storing University Data

UMail will be retired in early 2020 as it has reached end-of-life and will no longer be supported. Faculty and staff using UMail will receive additional information as migrations to Google Mail and Microsoft Exchange continue.

Information Management is the practice of treating information as an institutional resource that requires rules and practices for business process, privacy, security, compliance and risk management.

UMass Amherst staff, faculty, and students working with university data must comply with campus data security policies when using commercial storage and collaboration services. The following storage requirements have been established to protect sensitive university data, the data the university is legally or contractually obligated to protect. The university can face civil and criminal fines if sensitive data is accessed without authorization.

Although information management applies to all forms of institutional information and research data not matter what its format (e.g. paper or electronic), increasingly it relies upon information technology tools in this process. Box is such a tool. As such, in and of itself it does not automatically manage business process or compliance but requires the user to take these factors into account. Thus, UMass Amherst IT offers this tool with the understanding users must make informed decisions. Compliant technology does not guarantee compliant business processes.

Note: This matrix is based on the old classification scheme. Generally in the new Data Categorization strategy,  Restricted data and Confidential data will map to High or Moderate confidentiality, Operational data will map to Moderate or Low confidentiality and Unclassified data will map to Low or N/A for confidentiality. We are in the process of updating this matrix to reflect the new Data Categorization strategy.

Data Storage Options

Yes = Acceptable storage option | No = Unacceptable storage option  Last Updated: January 4, 2016

Data Classification & Examples: Google Apps at UMass Amherst Secure Storage at UMass Amherst (Box) Exchange & UMail Public-Facing UMass Web sites & Blogs    Cloud Storage Services    Cloud Storage Services with UMass Contract Secure Storage Options 

Social Security Numbers


No No No No No Yes

All Ethnicity Records

No Yes (varies) No No No No Yes

Medical Records (HIPAA)

  • Patient Records
  • Protected Health Information (PHI)*
No Yes (varies) No No No No Yes

Export Controlled Data

  • International Traffic in Arms Regulations (ITAR)
  • Export Administration Regulations (EAR)*
No See below No No No No Yes

Financial Records (PCI-DSS)

  • Credit card information
  • Financial records
No Yes (varies) No No No No Yes

Bank Account Information


Yes (varies) No No No Yes (varies) Yes

Personal Information (93H) 

  • Driver's License Number
  • State ID Card Number
  • Financial Account Number
No Yes Yes No No

Yes (varies)



Student Education Records (FERPA)

  • Grades
  • Class rosters
Yes Yes Yes No No Yes (varies) Yes

Identification Information

  • Student and Employee IDs
  • Visa and Passport Information
Yes Yes Yes No No Yes (varies) Yes

Confidential Research

  • University trade secrets
  • Intellectual property
  • Third-party confidential or proprietary data

  • Sensitive personal research data

No Yes (varies) No No No Yes (varies) Yes

Other Research Data

  • Research data that doesn't fit the descriptions above or otherwise is not considered confidential 
Yes Yes Yes

No  (varies)

No (varies) No Yes

Operational Use Only

  • Staff meeting notes
  • Business process documentation
  • Campus infrastructure plans
  • System configuration/ log files
Yes Yes Yes (varies) Yes Yes Yes

Unclassified Data

  • Campus maps
  • Schedule of classes
  • Policies
  • Student directory information
  • Publicly-available or published research data 
Yes Yes Yes Yes Yes Yes Yes
* The classification level for Export Administration Regulations (EAR) and Protected Health Information (PHI) data (varies) depending on the specific content of the data. Consult your supervisor or department chair if you are not sure of the accurate data classification level.
Apps at UMass Amherst is the customized version of Google's popular suite of online productivity and collaboration tools designed especially for educational institutions. UMass Amherst has negotiated a contract with Google to adhere to security best practices and has authorized Google to act as an agent of the university. The contract allows some sensitive data to be stored on Apps at UMass Amherst, but not restricted data (e.g., financial records, medical records).
Secure Storage at UMass Amherst (Box) is a document storage, management, and collaboration tool with a contract and Business Associates Agreement with the university to cover sensitive data. Individuals are responsible for configuring Box in compliance with data regulations, including HIPAA, human subject data restrictions, and other data use agreements.
Box does meet the NIST 800-171 requirements. NIST 800-171 for Controlled Unclassified Information outlines a subset of NIST 800-53 requirements. Box is going through the FedRAMP process (which outlines compliance with NIST 800-53 requirements) with the Department of Defense to receive an authorization to host Impact Level 4 data. The DoD defines Impact Level 4 data as: Controlled Classified Information.

Information Management for Secure Online Storage at UMass Amherst

Exchange & UMail are email and/or calendaring services provided by UMass Amherst IT and hosted on campus.  
Public-Facing UMass Web Sites & Blogs are university-owned services, but their public nature makes them unsuitable for storing sensitive data.
Web Hosting at UMass Amherst | Blogs at UMass Amherst
Cloud Storage Services without a contract with the university, including Dropbox,, Amazon Cloud, or other commercial data services, are not appropriate for storing most university data. 
Cloud Storage Services with UMass Contract: Some commercial cloud storage services hold contracts with UMass Amherst. Each contract will stipulate the vendor's responsibilities regarding university data. Check with your supervisor or department chair to find out more about each service's contract. 
Secure Storage Options: Your department may have chosen a secure storage solution for all sensitive data (e.g., a secure file server). Check with your supervisor or department chair for more information. UMass Amherst IT also offers a secure storage service for a fee. Department chairs and IT professionals can contact the IT Help Center to discuss the best storage option(s) for their department.

About Data Classifications

The old University data classifications are outlined in Data Classification at UMass Amherst.

The new Data Categorization strategy, launced with the updated Information Security Policy, is outlined in Institutional Information, Research Data and Information System Categorization and examples are provided on the Institutional Information and Research Data Categorization Examples page.

If you are not sure how a particular piece of data is categorized, check with your supervisor or department chair. As a rule, err on the side of caution and assume university data is confidential. This means choosing a secure storage option and declining to share it with others.

Cloud Storage: Understand the Risks

UMass Amherst has negotiated contracts with a number of storage providers. However, the use of cloud storage solutions presents risks to university data where UMass Amherst does not own and operate the systems supporting these services. The risks are even greater when using cloud services that do not hold contracts with the university. Key risks to consider when using vendor services are:
  • UMass Amherst does not own these vendor services and has limited oversight of university data and cannot apply security controls once it has been uploaded to a cloud service. University staff may not be able to assist users in the event of data loss or security breach. 
  • Data stored on vendor services may be available to employees of these companies and could be illegitimately accessed without prior consent.
  • Export control regulations prohibit foreign nationals to access data and supporting systems. Vendors may employ foreign nationals, making these storage solutions unsuitable to data covered by export controls.
  • Vendor services may store data outside of the United States, which violates export control regulations. 

Related Policies

Many thanks to the University of California, Berkeley System and Network Security, whose Box and Google Use Agreement served as a model for this document. 
Last Updated: January 4, 2016