Data Handling Requirements

University data is classified in three categories of risk levels: Low, Medium, and High. All data must be handled according to its risk classification and compliant with the minimum security standards for internal or external hosting, storage and transmission.

 
Data Classifications
HIGH Risk Data
MEDIUM Risk Data
LOW Risk Data

Access Controls (incl. Request for Data Access)

  • Access is limited to individuals who have been authorized by the appropriate Data Owner or Steward
     
  • Georgetown two-factor authentication is required wherever it is available
     
  • Confidentiality agreements must be signed and recorded by all appropriate parties
     
  • Remote access by third party for technical support is limited to authenticated and authorized access in accordance to UIS Technology Vendor Policy.

 

  • Access is limited to individuals who have been authorized by the appropriate Data Owner or Steward
     
  • Georgetown two-factor authentication is required wherever it is available
     
  • Remote access by third party for technical support is limited to authenticated and authorized access in accordance to UIS Technology Vendor Policy.

 

Access to view or modify low risk data may need to follow requirements of Two-Factor Authentication to GU Systems Policy, depending on the system in which the data is stored.

 

Copying/Printing/
Sharing

  • Data must be encrypted in transit
     
  • Data cannot be emailed to other parties, internal or external
     
  • Data cannot be shared with other parties through consumer-level cloud sharing services (Dropbox, Box, Basecamp, etc)
     
  • Data distribution is limited to role requires access to the data and who have authorization to access the data.
     
  • Hard copies must not be left unattended and must be stored in a secure location.

 

  • Data must be encrypted in transit
     
  • Data distribution is limited to role requires access to the data and who have authorization to access the data.
     
  • Hard copies must not be left unattended and must be stored in a secure location.

No requirements

Network Security

Must meet the requirements of Information Systems Security Policy, Minimum Security Standards policies and procedures, and Minimum Security Standards for Servers. 

No requirements

System Security

System owners and system administrators and system users must follow Information Systems Security Policy, Minimum Security Standards policies and procedures and other applicable policies for system management and security.

No requirements

Physical Security

  • Data must be masked to prevent unauthorized access or view.
  • Hard copy files must be properly marked and stored in a locked cabinet.

No requirements

Data Storage

  • Data must be encrypted
  • Data must be stored in its system of record or in University-approved cloud storage service or data center 
  • Data Steward must review and authorize and storage in third-party solutions
  • Storing data on individual workstations or mobile devices is not permitted. 
  • Hard copies must not be left unattended and must be stored in a secure location.
  • All devices that access high risk data must meet the requirements of Minimum Security Standards policies and procedures. 

No requirements

Backup/Disaster Recovery

  • Regular backup is required and recovery periodically tested.
     
  • Backup storage systems must be encrypted and stored in a secure location.

No requirements

Data disposal and destruction

When data is no longer in use for University business and can be disposed of in accordance to the University Data Retention Rules, data must be purged or destroyed:

Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.

Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.

When data is no longer in use for University business and can be disposed of in accordance to the University Data Retention Rules, data must be cleared:

Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.
 

No requirements

 

Workstation and Mobile Devices (including personal devices)

  • Password protection and an inactivity auto-lock are required
     
  • University-owned data must not be present and must be removed from personally-owned devices or University assigned devices before the individual is discharged from the University.
     
  • University-managed workstations and mobile devices must be re-imaged and follow data destruction procedures.

No requirements