UIS.401.3 Data Handling Guidelines
In support of UIS 401 Data Protection and Security Policy (in revision)
Data Handling Requirements
University data is classified in three categories of risk levels: Low, Medium, and High. All data must be handled according to its risk classification and compliant with the minimum security standards for internal or external hosting, storage and transmission.
Risk Classification |
LOW |
MEDIUM |
HIGH |
||
---|---|---|---|---|---|
Data Type |
Public Information intended to be shared with the public. Information Georgetown has made available to the public. |
Internal Information intended for Georgetown faculty, students, staff. Information Georgetown has designated as private. |
Confidential Sensitive information intended for authorized individuals with explicit permission. Information Georgetown is obligated to make available only on a ‘need to know’ basis. |
Restricted Sensitive information protected by strict security controls. Information Georgetown is obligated to make available only on a ‘need to know’ basis. |
Regulated Information protected by specific controls dictated by law or external governance. Information Georgetown is obligated to keep protected from all unauthorized internal or external access. |
ExamplesAsk UIS if you’re not sure. These are examples, not exhaustive lists. |
Information in the public domain Publicly available campus data Faculty and staff appointments University marketing materials University directory information designated for public view |
Non-public meeting notes Processes, procedures, systems instructions |
Non-public contracts University GUID numbers Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents Financial account numbers Donor agreements and agreements in progress |
Unpublished research data Social Security Numbers Personally Identifiable Information; birth date, personal contact information; IDs/Passports/Driver Licenses Audit logs or records; infrastructure data Cyber Security Investigations |
Protected Health Information (PHI) Controlled Unclassified Information (CUI) Student records; Student admission data Payment Card Information (PCI) **No PCI data is to be transmitted through, processed or stored on GU networks** |
Printing/Storing(Paper documents, files) |
No data handling restriction |
|
|
|
|
Network Storage |
No data handling restriction |
|
|
|
**CUI and PHI require UIS authorization** |
Computer Storage |
No data handling restriction |
Device must meet UIS cyber security requirements for processing moderate-risk data. Data cannot be stored long-term on GU work or personal computer. GU external hard drives, managed by UIS are permitted with authorization |
Device must meet UIS cyber security requirements for processing moderate-risk data. Data cannot be stored long-term on GU work or personal computer. GU external hard drives, managed by UIS are permitted with authorization |
Device must meet UIS cyber security requirements for processing high-risk data. Data cannot be stored on GU work or personal computer. Data is to remain in managed and authorized storage system of record GU external hard drives, managed by UIS are permitted with authorization |
Device must meet UIS cyber security requirements for processing high-risk data. Data cannot be stored on GU work or personal computer. Data is to remain in managed and authorized storage system of record GU external hard drives, managed by UIS are permitted with authorization |
Sharing/Collaboration |
No data handling restriction |
|
|
GU Box | GU Box |
Transmitting |
No data handling restriction |
|
|
GU Box restricted link |
|
Hosting Online Meetings |
No data handling restriction |
|
|
GU Zoom (with authorization) | Method authorized by UIS/data controller/owner |
Survey/Polling |
No data handling restriction |
|
|
GU Qualtrics | Method authorized by UIS/data controller/owner |
E-Signing |
No data handling restriction | GU Docusign | GU Docusign | GU Docusign |
|
Deleting and Destroying |
No data handling restriction |
When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, medium-risk data must be cleared: Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.
|
When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, medium-risk data must be cleared: Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.
|
When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, high-risk data must be purged or destroyed: Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques. Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.
|
When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, high-risk data must be purged or destroyed: Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques. Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.
|
All handling of University data must align with University policies, standards, and requirements for data protection, security and privacy. Including but not limited to:
- UIS.401.2 Data Destruction Guidelines
- Research Data Protection Guidelines
- Regulated Data Security
- Security Considerations for Cloud Services
- Report a Data Security Incident
Updated March 2024