UIS.401.3 Data Handling Guidelines

In support of UIS 401 Data Protection and Security Policy

Data Handling Requirements

University data is classified in three categories of risk levels: Low, Medium, and High. All data must be handled according to its risk classification and compliant with the minimum security standards for internal or external hosting, storage and transmission.

Access Controls (incl. Request for Data Access)

High Risk Data

Access is limited to individuals who have been authorized by the appropriate Data Owner or Steward

Georgetown two-factor authentication is required wherever it is available

Confidentiality agreements must be signed and recorded by all appropriate parties

Remote access by third party for technical support is limited to authenticated and authorized access in accordance to UIS Technology Vendor Policy.

Medium Risk Data

Access is limited to individuals who have been authorized by the appropriate Data Owner or Steward

Georgetown two-factor authentication is required wherever it is available

Remote access by third party for technical support is limited to authenticated and authorized access in accordance to UIS Technology Vendor Policy.

Low Risk Data

Access to view or modify low risk data may need to follow requirements of Two-Factor Authentication to GU Systems Policy, depending on the system in which the data is stored.


Copying/Printing/Sharing

High Risk Data

Data must be encrypted in transit

Data cannot be emailed to other parties, internal or external

Data cannot be shared with other parties through consumer-level cloud sharing services (Dropbox, Box, Basecamp, etc)

Data distribution is limited to role requires access to the data and who have authorization to access the data.

Hard copies must not be left unattended and must be stored in a secure location.

Medium Risk Data

Data must be encrypted in transit

Data distribution is limited to role requires access to the data and who have authorization to access the data.

Hard copies must not be left unattended and must be stored in a secure location.

Low Risk Data

No requirements


Network Security

High and Medium Risk Data

Must meet the requirements of Information Systems Security Policy, Minimum Security Standards policies and procedures, and Minimum Security Standards for Servers.

Low Risk Data

No requirements


System Security

High and Medium Risk Data

System owners and system administrators and system users must follow Information Systems Security Policy, Minimum Security Standards policies and procedures and other applicable policies for system management and security.

Low Risk Data

No requirements


Physical Security

High and Medium Risk Data

Data must be masked to prevent unauthorized access or view.

Hard copy files must be properly marked and stored in a locked cabinet.

Low Risk Data

No requirements


Data Storage

High and Medium Risk Data

Data must be encrypted

Data must be stored in its system of record or in University-approved cloud storage service or data center

Data Steward must review and authorize and storage in third-party solutions

Storing data on individual workstations or mobile devices is not permitted.

Hard copies must not be left unattended and must be stored in a secure location.

All devices that access high risk data must meet the requirements of Minimum Security Standards policies and procedures.

Low Risk Data

No requirements


Backup/Disaster Recovery

High and Medium Risk Data

Regular backup is required and recovery periodically tested.

Backup storage systems must be encrypted and stored in a secure location.

Low Risk Data

No requirements


Data disposal and destruction

High Risk Data

When data is no longer in use for University business and can be disposed of in accordance to the University Data Retention Rules, data must be purged or destroyed:

Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.

Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.

Medium Risk Data

When data is no longer in use for University business and can be disposed of in accordance to the University Data Retention Rules, data must be cleared:

Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.

Low Risk Data

No requirements


Workstation and Mobile Devices (including personal devices)

High and Medium Risk Data

Password protection and an inactivity auto-lock are required

University-owned data must not be present and must be removed from personally-owned devices or University assigned devices before the individual is discharged from the University.

University-managed workstations and mobile devices must be re-imaged and follow data destruction procedures.

Low Risk Data

No requirements