Information Management and Storing University Data [1]
Information Management is the practice of treating information as an institutional resource that requires rules and practices for business process, privacy, security, compliance and risk management.
UMass Amherst staff, faculty, and students working with university data must comply with campus data security policies when using commercial storage and collaboration services. The following storage requirements have been established to protect sensitive university data, the data the university is legally or contractually obligated to protect. The university can face civil and criminal fines if sensitive data is accessed without authorization.
Although information management applies to all forms of institutional information and research data not matter what its format (e.g. paper or electronic), increasingly it relies upon information technology tools in this process. Box is such a tool. As such, in and of itself it does not automatically manage business process or compliance but requires the user to take these factors into account. Thus, UMass Amherst IT offers this tool with the understanding users must make informed decisions. Compliant technology does not guarantee compliant business processes.
Data Storage Options
Yes = Acceptable storage option | No = Unacceptable storage option Last Updated: January 4, 2016
| Data Classification & Examples: | Google Apps at UMass Amherst | Secure Storage at UMass Amherst (Box) | Exchange & UMail | Public-Facing UMass Web sites & Blogs | Cloud Storage Services | Cloud Storage Services with UMass Contract | Secure Storage Options | |
|---|---|---|---|---|---|---|---|---|
| Restricted: | ||||||||
Social Security Numbers |
No |
No | No | No | No | No | Yes | |
All Ethnicity Records |
No | Yes (varies) [2] | No | No | No | No | Yes | |
Medical Records (HIPAA)
|
No | Yes (varies) [2] | No | No | No | No | Yes | |
Export Controlled Data
|
No | See below | No | No | No | No [2] | Yes | |
Financial Records (PCI-DSS)
|
No | Yes (varies) [2] | No | No | No | No [2] | Yes | |
Bank Account Information |
No |
Yes (varies) [2] | No | No | No | Yes (varies) [2] | Yes | |
| Confidential | ||||||||
Personal Information (93H)
|
No | Yes | Yes | No | No |
Yes (varies) [2]
|
Yes | |
Student Education Records (FERPA)
|
Yes | Yes | Yes | No | No | Yes (varies) [2] | Yes | |
Identification Information
|
Yes | Yes | Yes | No | No | Yes (varies) [2] | Yes | |
Confidential Research
|
No | Yes (varies) [2] | No | No | No | Yes (varies) [2] | Yes | |
|
Other Research Data
|
Yes | Yes | Yes |
No (varies) |
No (varies) | No | Yes | |
Operational Use Only
|
Yes | Yes | Yes | (varies) | Yes | Yes | Yes | |
Unclassified Data
|
Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
* The classification level for Export Administration Regulations (EAR) and Protected Health Information (PHI) data (varies) depending on the specific content of the data. Consult your supervisor or department chair if you are not sure of the accurate data classification level.
Apps at UMass Amherst is the customized version of Google's popular suite of online productivity and collaboration tools designed especially for educational institutions. UMass Amherst has negotiated a contract with Google to adhere to security best practices and has authorized Google to act as an agent of the university. The contract allows some sensitive data to be stored on Apps at UMass Amherst, but not restricted data (e.g., financial records, medical records).
Secure Storage at UMass Amherst (Box) is a document storage, management, and collaboration tool with a contract and Business Associates Agreement with the university to cover sensitive data. Individuals are responsible for configuring Box in compliance with data regulations, including HIPAA, human subject data restrictions, and other data use agreements.
Box does meet the NIST 800-171 requirements. NIST 800-171 for Controlled Unclassified Information outlines a subset of NIST 800-53 requirements. Box is going through the FedRAMP process (which outlines compliance with NIST 800-53 requirements) with the Department of Defense to receive an authorization to host Impact Level 4 data. The DoD defines Impact Level 4 data as: Controlled Classified Information.
Information Management for Secure Online Storage at UMass Amherst [3]
Exchange & UMail are email and/or calendaring services [4] provided by UMass Amherst IT and hosted on campus.
Public-Facing UMass Web Sites & Blogs are university-owned services, but their public nature makes them unsuitable for storing sensitive data.
Web Hosting at UMass Amherst [5] | Blogs at UMass Amherst [6]
Web Hosting at UMass Amherst [5] | Blogs at UMass Amherst [6]
Cloud Storage Services without a contract with the university, including Dropbox, Box.net, Amazon Cloud, or other commercial data services, are not appropriate for storing most university data.
Cloud Storage Services with UMass Contract: Some commercial cloud storage services hold contracts with UMass Amherst. Each contract will stipulate the vendor's responsibilities regarding university data. Check with your supervisor or department chair to find out more about each service's contract.
Secure Storage Options: Your department may have chosen a secure storage solution for all sensitive data (e.g., a secure file server). Check with your supervisor or department chair for more information. UMass Amherst IT also offers a secure storage service for a fee. Department chairs and IT professionals can contact the IT Help Center [7] to discuss the best storage option(s) for their department.
About Data Classifications
University data classifications are outlined in Data Classification at UMass Amherst [8].
If you are not sure how to classify a piece of data, check with your supervisor or department chair. As a rule, err on the side of caution and assume university data is confidential. This means choosing a secure storage option and declining to share it with others.
Cloud Storage: Understand the Risks
UMass Amherst has negotiated contracts with a number of storage providers. However, the use of cloud storage solutions presents risks to university data where UMass Amherst does not own and operate the systems supporting these services. The risks are even greater when using cloud services that do not hold contracts with the university. Key risks to consider when using vendor services are:
- UMass Amherst does not own these vendor services and has limited oversight of university data and cannot apply security controls once it has been uploaded to a cloud service. University staff may not be able to assist users in the event of data loss or security breach.
- Data stored on vendor services may be available to employees of these companies and could be illegitimately accessed without prior consent.
- Export control regulations prohibit foreign nationals to access data and supporting systems. Vendors may employ foreign nationals, making these storage solutions unsuitable to data covered by export controls.
- Vendor services may store data outside of the United States, which violates export control regulations.
Related Policies
Many thanks to the University of California, Berkeley System and Network Security, whose Box and Google Use Agreement [13] served as a model for this document.
Last Updated: January 4, 2016