UIS.401.3 Data Handling Guidelines

Public

Information intended to be shared with the public.

Information Georgetown has made available to the public.

Internal

Information intended for Georgetown faculty, students, staff.

Information Georgetown has designated as private.

Confidential

Sensitive information intended for authorized individuals with explicit permission. 

Information Georgetown is obligated to make available only on a ‘need to know’ basis.

Restricted

Sensitive information protected by strict security controls.

Information Georgetown is obligated to make available only on a ‘need to know’ basis.

Regulated

Information protected by specific controls dictated by law or external governance.

Information Georgetown is obligated to keep protected from all unauthorized internal or external access.

Information in the public domain

Publicly available campus data

Faculty and staff appointments

University marketing materials

University directory information designated for public view

University and employee GUID numbers

Non-public meeting notes

Processes, procedures, systems instructions

Non-public contracts

Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents

Financial account numbers

Donor agreements and agreements in progress

Unpublished research data

Social Security Numbers

Personally Identifiable Information; birth date, personal contact information; IDs/Passports/Driver Licenses

Audit logs or records; infrastructure data

Cyber Security Investigations

Protected Health Information (PHI)

Controlled Unclassified Information (CUI)

Student records; Student admission data

Payment Card Information (PCI) **No PCI data is to be transmitted through, processed or stored on GU networks**

• Locked drawers or cabinets
• Do not leave unattended on copiers/printers

• Locked drawers or cabinets
• Do not leave unattended on copiers/printers

• Locked drawers or cabinets
• Do not leave unattended on copiers/printers

• Locked drawers or cabinets
• Send to printer using stored/locked job. Enter authorization code at printer

• GU Google Drive
• GU Box
• GU GCP
• GU AWS
• GU EFS (Share Drives)

• GU Google Drive
• GU Box
• GU GCP
• GU AWS
• GU EFS (Share Drives)

• GU Box
• GU GCP
• GU AWS

• GU Box
• GU GCP
• GU AWS
• Authorized external storage

**CUI and PHI require UIS authorization**

Device must meet UIS cyber security requirements for processing moderate-risk data.

Data cannot be stored long-term on GU work or personal computer.

GU external hard drives, managed by UIS are permitted with authorization

Device must meet UIS cyber security requirements for processing moderate-risk data.

Data cannot be stored long-term on GU work or personal computer.

GU external hard drives, managed by UIS are permitted with authorization

Device must meet UIS cyber security requirements for processing high-risk data. Data cannot be stored on GU work or personal computer.

Data is to remain in managed and authorized storage system of record

GU external hard drives, managed by UIS are permitted with authorization

Device must meet UIS cyber security requirements for processing high-risk data. Data cannot be stored on GU work or personal computer.

Data is to remain in managed and authorized storage system of record

GU external hard drives, managed by UIS are permitted with authorization

• GU Email
• GU Box
• GU Google Workspace Apps
• GU Slack

• GU Email
• GU Box
• GU Google Workspace Apps
• GU Slack

• GU Email
• GU Box
• GU Google Workspace Apps

• GU Email
• GU Box
• GU Google Workspace Apps

• GU Box restricted link
• Method authorized by UIS/data controller/owner

• GU Zoom
• GU Google Meet
• GU Teams

• GU Zoom
• GU Google Meet
• GU Teams

• GU Qualtrics
• Survey Monkey (approved, not GU licensed)
• Doodle (approved, not GU licensed)

• GU Qualtrics
• Survey Monkey (approved, not GU licensed)
• Doodle (approved, not GU licensed)

• GU Docusign
• Method authorized by UIS/data controller/owner

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, medium-risk data must be cleared:

Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.

• GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
• 3rd-party access to moderate-risk data must include provisions to dispose of data upon service termination.

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, medium-risk data must be cleared:

Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.

• GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
• 3rd-party access to moderate-risk data must include provisions to dispose of data upon service termination.

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, high-risk data must be purged or destroyed:

Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.

Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.

• GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
• 3rd-party access to high-risk data must include provisions to dispose of data upon service termination

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, high-risk data must be purged or destroyed:

Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.

Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.

• GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
• 3rd-party access to high-risk data must include provisions to dispose of data upon service termination