Information Management and Storing University Data

Information Management and Storing University Data [1]

UMail will be retired in early 2020 as it has reached end-of-life and will no longer be supported. Faculty and staff using UMail will receive additional information as migrations to Google Mail and Microsoft Exchange [2] continue.

Information Management is the practice of treating information as an institutional resource that requires rules and practices for business process, privacy, security, compliance and risk management.

UMass Amherst staff, faculty, and students working with university data must comply with campus data security policies when using commercial storage and collaboration services. The following storage requirements have been established to protect sensitive university data, the data the university is legally or contractually obligated to protect. The university can face civil and criminal fines if sensitive data is accessed without authorization.

Although information management applies to all forms of institutional information and research data not matter what its format (e.g. paper or electronic), increasingly it relies upon information technology tools in this process. Box is such a tool. As such, in and of itself it does not automatically manage business process or compliance but requires the user to take these factors into account. Thus, UMass Amherst IT offers this tool with the understanding users must make informed decisions. Compliant technology does not guarantee compliant business processes.

Note: This matrix is based on the old classification scheme. Generally in the new Data Categorization strategy [3], Restricted data and Confidential data will map to High or Moderate confidentiality, Operational data will map to Moderate or Low confidentiality and Unclassified data will map to Low or N/A for confidentiality. We are in the process of updating this matrix to reflect the new Data Categorization strategy.

Data Storage Options

Yes = Acceptable storage option | No = Unacceptable storage option Last Updated: January 4, 2016

Data Classification & Examples:	Google Apps at UMass Amherst	Secure Storage at UMass Amherst (Box)	Exchange & UMail	Public-Facing UMass Web sites & Blogs	Cloud Storage Services	Cloud Storage Services with UMass Contract	Secure Storage Options
Restricted:
Social Security Numbers	No	No	No	No	No	No	Yes
All Ethnicity Records	No	Yes (varies) [4]	No	No	No	No	Yes
Medical Records (HIPAA) Patient Records Protected Health Information (PHI)*	No	Yes (varies) [4]	No	No	No	No	Yes
Export Controlled Data International Traffic in Arms Regulations (ITAR) Export Administration Regulations (EAR)*	No	See below	No	No	No	No [4]	Yes
Financial Records (PCI-DSS) Credit card information Financial records	No	Yes (varies) [4]	No	No	No	No [4]	Yes
Bank Account Information	No	Yes (varies) [4]	No	No	No	Yes (varies) [4]	Yes
Confidential
Personal Information (93H) Driver's License Number State ID Card Number Financial Account Number	No	Yes	Yes	No	No	Yes (varies) [4]	Yes
Student Education Records (FERPA) Grades Class rosters	Yes	Yes	Yes	No	No	Yes (varies) [4]	Yes
Identification Information Student and Employee IDs Visa and Passport Information	Yes	Yes	Yes	No	No	Yes (varies) [4]	Yes
Confidential Research University trade secrets Intellectual property Third-party confidential or proprietary data Sensitive personal research data	No	Yes (varies) [4]	No	No	No	Yes (varies) [4]	Yes
Other Research Data Research data that doesn't fit the descriptions above or otherwise is not considered confidential	Yes	Yes	Yes	No (varies)	No (varies)	No	Yes
Operational Use Only Staff meeting notes Business process documentation Campus infrastructure plans System configuration/ log files	Yes	Yes	Yes	(varies)	Yes	Yes	Yes
Unclassified Data Campus maps Schedule of classes Policies Student directory information Publicly-available or published research data	Yes	Yes	Yes	Yes	Yes	Yes	Yes

* The classification level for Export Administration Regulations (EAR) and Protected Health Information (PHI) data (varies) depending on the specific content of the data. Consult your supervisor or department chair if you are not sure of the accurate data classification level.

Apps at UMass Amherst is the customized version of Google's popular suite of online productivity and collaboration tools designed especially for educational institutions. UMass Amherst has negotiated a contract with Google to adhere to security best practices and has authorized Google to act as an agent of the university. The contract allows some sensitive data to be stored on Apps at UMass Amherst, but not restricted data (e.g., financial records, medical records).

Secure Storage at UMass Amherst (Box) is a document storage, management, and collaboration tool with a contract and Business Associates Agreement with the university to cover sensitive data. Individuals are responsible for configuring Box in compliance with data regulations, including HIPAA, human subject data restrictions, and other data use agreements.

Box does meet the NIST 800-171 requirements. NIST 800-171 for Controlled Unclassified Information outlines a subset of NIST 800-53 requirements. Box is going through the FedRAMP process (which outlines compliance with NIST 800-53 requirements) with the Department of Defense to receive an authorization to host Impact Level 4 data. The DoD defines Impact Level 4 data as: Controlled Classified Information.

Information Management for Secure Online Storage at UMass Amherst [5]

Exchange & UMail are email and/or calendaring services [2] provided by UMass Amherst IT and hosted on campus.

Public-Facing UMass Web Sites & Blogs are university-owned services, but their public nature makes them unsuitable for storing sensitive data.
Web Hosting at UMass Amherst [6] | Blogs at UMass Amherst [7]

Cloud Storage Services without a contract with the university, including Dropbox, Box.net, Amazon Cloud, or other commercial data services, are not appropriate for storing most university data.

Cloud Storage Services with UMass Contract: Some commercial cloud storage services hold contracts with UMass Amherst. Each contract will stipulate the vendor's responsibilities regarding university data. Check with your supervisor or department chair to find out more about each service's contract.

Secure Storage Options: Your department may have chosen a secure storage solution for all sensitive data (e.g., a secure file server). Check with your supervisor or department chair for more information. UMass Amherst IT also offers a secure storage service for a fee. Department chairs and IT professionals can contact the IT Help Center [8] to discuss the best storage option(s) for their department.

About Data Classifications

The old University data classifications are outlined in Data Classification at UMass Amherst [9].

The new Data Categorization strategy, launced with the updated Information Security Policy, is outlined in Institutional Information, Research Data and Information System Categorization [10] and examples are provided on the Institutional Information and Research Data Categorization Examples [11] page.

If you are not sure how a particular piece of data is categorized, check with your supervisor or department chair. As a rule, err on the side of caution and assume university data is confidential. This means choosing a secure storage option and declining to share it with others.

Cloud Storage: Understand the Risks

UMass Amherst has negotiated contracts with a number of storage providers. However, the use of cloud storage solutions presents risks to university data where UMass Amherst does not own and operate the systems supporting these services. The risks are even greater when using cloud services that do not hold contracts with the university. Key risks to consider when using vendor services are:

UMass Amherst does not own these vendor services and has limited oversight of university data and cannot apply security controls once it has been uploaded to a cloud service. University staff may not be able to assist users in the event of data loss or security breach.
Data stored on vendor services may be available to employees of these companies and could be illegitimately accessed without prior consent.
Export control regulations prohibit foreign nationals to access data and supporting systems. Vendors may employ foreign nationals, making these storage solutions unsuitable to data covered by export controls.
Vendor services may store data outside of the United States, which violates export control regulations.

Related Policies

UMass Amherst IT Policy: Acceptable Use of Computing & Information Technology Resources [12]

UMass Amherst IT Policy: Email Communications [13]

UMass Amherst IT Policy: Complex Passwords [14]

Policies & Guidelines/Standards: Data and Computing [15]

Many thanks to the University of California, Berkeley System and Network Security, whose Box and Google Use Agreement [16] served as a model for this document.

Last Updated: January 4, 2016

Data Storage Options

Yes = Acceptable storage option | No = Unacceptable storage option Last Updated: January 4, 2016

Social Security Numbers

All Ethnicity Records

Medical Records (HIPAA)

Export Controlled Data

Financial Records (PCI-DSS)

Bank Account Information

Personal Information (93H)

Student Education Records (FERPA)

Identification Information

Confidential Research

Operational Use Only

Unclassified Data

About Data Classifications

Cloud Storage: Understand the Risks

Related Policies