UMail will be retired in early 2020 as it has reached end-of-life and will no longer be supported. Faculty and staff using UMail will receive additional information as migrations to Google Mail and Microsoft Exchange continue.
Information Management is the practice of treating information as an institutional resource that requires rules and practices for business process, privacy, security, compliance and risk management.
UMass Amherst staff, faculty, and students working with university data must comply with campus data security policies when using commercial storage and collaboration services. The following storage requirements have been established to protect sensitive university data, the data the university is legally or contractually obligated to protect. The university can face civil and criminal fines if sensitive data is accessed without authorization.
Although information management applies to all forms of institutional information and research data not matter what its format (e.g. paper or electronic), increasingly it relies upon information technology tools in this process. Box is such a tool. As such, in and of itself it does not automatically manage business process or compliance but requires the user to take these factors into account. Thus, UMass Amherst IT offers this tool with the understanding users must make informed decisions. Compliant technology does not guarantee compliant business processes.
Note: This matrix is based on the old classification scheme. Generally in the new Data Categorization strategy, Restricted data and Confidential data will map to High or Moderate confidentiality, Operational data will map to Moderate or Low confidentiality and Unclassified data will map to Low or N/A for confidentiality. We are in the process of updating this matrix to reflect the new Data Categorization strategy.
Data Storage Options
Yes = Acceptable storage option | No = Unacceptable storage option Last Updated: January 4, 2016
Data Classification & Examples: | Google Apps at UMass Amherst | Secure Storage at UMass Amherst (Box) | Exchange & UMail | Public-Facing UMass Web sites & Blogs | Cloud Storage Services | Cloud Storage Services with UMass Contract | Secure Storage Options | |
---|---|---|---|---|---|---|---|---|
Restricted: | ||||||||
Social Security Numbers |
No |
No | No | No | No | No | Yes | |
All Ethnicity Records |
No | Yes (varies) | No | No | No | No | Yes | |
Medical Records (HIPAA)
|
No | Yes (varies) | No | No | No | No | Yes | |
Export Controlled Data
|
No | See below | No | No | No | No | Yes | |
Financial Records (PCI-DSS)
|
No | Yes (varies) | No | No | No | No | Yes | |
Bank Account Information |
No |
Yes (varies) | No | No | No | Yes (varies) | Yes | |
Confidential | ||||||||
Personal Information (93H)
|
No | Yes | Yes | No | No |
|
Yes | |
Student Education Records (FERPA)
|
Yes | Yes | Yes | No | No | Yes (varies) | Yes | |
Identification Information
|
Yes | Yes | Yes | No | No | Yes (varies) | Yes | |
Confidential Research
|
No | Yes (varies) | No | No | No | Yes (varies) | Yes | |
Other Research Data
|
Yes | Yes | Yes |
No (varies) |
No (varies) | No | Yes | |
Operational Use Only
|
Yes | Yes | Yes | (varies) | Yes | Yes | Yes | |
Unclassified Data
|
Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Information Management for Secure Online Storage at UMass Amherst
Web Hosting at UMass Amherst | Blogs at UMass Amherst
About Data Classifications
The old University data classifications are outlined in Data Classification at UMass Amherst.
The new Data Categorization strategy, launced with the updated Information Security Policy, is outlined in Institutional Information, Research Data and Information System Categorization and examples are provided on the Institutional Information and Research Data Categorization Examples page.
Cloud Storage: Understand the Risks
- UMass Amherst does not own these vendor services and has limited oversight of university data and cannot apply security controls once it has been uploaded to a cloud service. University staff may not be able to assist users in the event of data loss or security breach.
- Data stored on vendor services may be available to employees of these companies and could be illegitimately accessed without prior consent.
- Export control regulations prohibit foreign nationals to access data and supporting systems. Vendors may employ foreign nationals, making these storage solutions unsuitable to data covered by export controls.
- Vendor services may store data outside of the United States, which violates export control regulations.