Information Management and Storing University Data [1]
Information Management is the practice of treating information as an institutional resource that requires rules and practices for business process, privacy, security, compliance and risk management.
UMass Amherst staff, faculty, and students working with university data must comply with campus data security policies when using commercial storage and collaboration services. The following storage requirements have been established to protect sensitive university data, the data the university is legally or contractually obligated to protect. The university can face civil and criminal fines if sensitive data is accessed without authorization.
Although information management applies to all forms of institutional information and research data not matter what its format (e.g. paper or electronic), increasingly it relies upon information technology tools in this process. Box is such a tool. As such, in and of itself it does not automatically manage business process or compliance but requires the user to take these factors into account. Thus, UMass Amherst IT offers this tool with the understanding users must make informed decisions. Compliant technology does not guarantee compliant business processes.
Data Storage Options
Yes = Acceptable storage option | No = Unacceptable storage option Last Updated: January 4, 2016
Data Classification & Examples: | Google Apps at UMass Amherst | Secure Storage at UMass Amherst (Box) | Exchange & UMail | Public-Facing UMass Web sites & Blogs | Cloud Storage Services | Cloud Storage Services with UMass Contract | Secure Storage Options | |
---|---|---|---|---|---|---|---|---|
Restricted: | ||||||||
Social Security Numbers |
No |
No | No | No | No | No | Yes | |
All Ethnicity Records |
No | Yes (varies) [2] | No | No | No | No | Yes | |
Medical Records (HIPAA)
|
No | Yes (varies) [2] | No | No | No | No | Yes | |
Export Controlled Data
|
No | See below | No | No | No | No [2] | Yes | |
Financial Records (PCI-DSS)
|
No | Yes (varies) [2] | No | No | No | No [2] | Yes | |
Bank Account Information |
No |
Yes (varies) [2] | No | No | No | Yes (varies) [2] | Yes | |
Confidential | ||||||||
Personal Information (93H)
|
No | Yes | Yes | No | No |
Yes (varies) [2]
|
Yes | |
Student Education Records (FERPA)
|
Yes | Yes | Yes | No | No | Yes (varies) [2] | Yes | |
Identification Information
|
Yes | Yes | Yes | No | No | Yes (varies) [2] | Yes | |
Confidential Research
|
No | Yes (varies) [2] | No | No | No | Yes (varies) [2] | Yes | |
Other Research Data
|
Yes | Yes | Yes |
No (varies) |
No (varies) | No | Yes | |
Operational Use Only
|
Yes | Yes | Yes | (varies) | Yes | Yes | Yes | |
Unclassified Data
|
Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Information Management for Secure Online Storage at UMass Amherst [3]
Web Hosting at UMass Amherst [5] | Blogs at UMass Amherst [6]
About Data Classifications
University data classifications are outlined in Data Classification at UMass Amherst [8].
Cloud Storage: Understand the Risks
- UMass Amherst does not own these vendor services and has limited oversight of university data and cannot apply security controls once it has been uploaded to a cloud service. University staff may not be able to assist users in the event of data loss or security breach.
- Data stored on vendor services may be available to employees of these companies and could be illegitimately accessed without prior consent.
- Export control regulations prohibit foreign nationals to access data and supporting systems. Vendors may employ foreign nationals, making these storage solutions unsuitable to data covered by export controls.
- Vendor services may store data outside of the United States, which violates export control regulations.