UIS.401.3 Data Handling Guidelines
In support of UIS 401 Data Protection and Security Policy
Data Handling Requirements
University data is classified in three categories of risk levels: Low, Medium, and High. All data must be handled according to its risk classification and compliant with the minimum security standards for internal or external hosting, storage and transmission.
Access Controls (incl. Request for Data Access)
High Risk Data
Access is limited to individuals who have been authorized by the appropriate Data Owner or Steward
Georgetown two-factor authentication is required wherever it is available
Confidentiality agreements must be signed and recorded by all appropriate parties
Remote access by third party for technical support is limited to authenticated and authorized access in accordance to UIS Technology Vendor Policy.
Medium Risk Data
Access is limited to individuals who have been authorized by the appropriate Data Owner or Steward
Georgetown two-factor authentication is required wherever it is available
Remote access by third party for technical support is limited to authenticated and authorized access in accordance to UIS Technology Vendor Policy.
Low Risk Data
Access to view or modify low risk data may need to follow requirements of Two-Factor Authentication to GU Systems Policy, depending on the system in which the data is stored.
Copying/Printing/Sharing
High Risk Data
Data must be encrypted in transit
Data cannot be emailed to other parties, internal or external
Data cannot be shared with other parties through consumer-level cloud sharing services (Dropbox, Box, Basecamp, etc)
Data distribution is limited to role requires access to the data and who have authorization to access the data.
Hard copies must not be left unattended and must be stored in a secure location.
Medium Risk Data
Data must be encrypted in transit
Data distribution is limited to role requires access to the data and who have authorization to access the data.
Hard copies must not be left unattended and must be stored in a secure location.
Low Risk Data
No requirements
Network Security
High and Medium Risk Data
Must meet the requirements of Information Systems Security Policy, Minimum Security Standards policies and procedures, and Minimum Security Standards for Servers.
Low Risk Data
No requirements
System Security
High and Medium Risk Data
System owners and system administrators and system users must follow Information Systems Security Policy, Minimum Security Standards policies and procedures and other applicable policies for system management and security.
Low Risk Data
No requirements
Physical Security
High and Medium Risk Data
Data must be masked to prevent unauthorized access or view.
Hard copy files must be properly marked and stored in a locked cabinet.
Low Risk Data
No requirements
Data Storage
High and Medium Risk Data
Data must be encrypted
Data must be stored in its system of record or in University-approved cloud storage service or data center appropriately configured and maintained to protect it.
Data Steward must review and authorize and storage in third-party solutions
Storing data on individual workstations or mobile devices is not permitted.
Hard copies must not be left unattended and must be stored in a secure location.
All devices that access high risk data must meet the requirements of Minimum Security Standards policies and procedures.
Low Risk Data
No requirements
Backup/Disaster Recovery
High and Medium Risk Data
Regular backup is required and recovery periodically tested.
Backup storage systems must be encrypted and stored in a secure location.
Low Risk Data
No requirements
Data disposal and destruction
High Risk Data
When data is no longer in use for University business and can be disposed of in accordance to the University Data Retention Rules, data must be purged or destroyed:
Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.
Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.
Medium Risk Data
When data is no longer in use for University business and can be disposed of in accordance to the University Data Retention Rules, data must be cleared:
Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.
Low Risk Data
No requirements
Workstation and Mobile Devices (including personal devices)
High and Medium Risk Data
Password protection and an inactivity auto-lock are required
University-owned data must not be present and must be removed from personally-owned devices or University assigned devices before the individual is discharged from the University.
University-managed workstations and mobile devices must be re-imaged and follow data destruction procedures.
Low Risk Data
No requirements