USU DATA HANDLING REQUIREMENTS
Handling Controls |
|||
Non-Disclosure Agreement (NDA) |
▪ NDA is required prior to access by non-USU employees. |
▪ NDA is recommended prior to access by non-USU employees. |
No NDA requirements |
Internal Data Transfer |
▪ Encryption is required ▪ Instant Messaging is prohibited ▪ FTP is prohibited |
▪ Encryption is recommended ▪ Instant Messaging is prohibited ▪ FTP is prohibited |
No special requirements |
External Data Transfer |
▪ Encryption is required ▪ Instant Messaging is prohibited ▪ FTP is prohibited ▪ Remote access should be used only when necessary and only with Staff VPN and two‐factor authentication If data transfer is international, please contact Data Privacy Office. |
▪ Encryption is required ▪ Instant Messaging is prohibited ▪ FTP is prohibited |
No special requirements |
Data At Rest |
▪ Encryption is required Approved Storage Locations Box (USU accounts) Third-Party SaaS based on contractual agreement HIPAA-Compliant Survey Tools ServiceNow with approved controls
Prohibited Storage Locations Local Machines Personal Devices Mobile Devices Aggie Shares Local Storage on Dedicated Server Google Drive/Apps (USU accounts - not supported) Microsoft OneDrive/Office365 (USU accounts) Dropbox Portable Devices Digital Commons (Library Repository) ▪ Logical access controls are required to limit unauthorized use ▪ Physical access restricted to specific individuals |
▪ Encryption is recommended Approved Storage Locations Box (USU accounts) Third-Party SaaS based on contractual agreement HIPAA-Compliant Survey Tools ServiceNow with approved controls Local Machines configured with USU standards Personal Devices configured with USU standards Encrypted Mobile Devices Aggie Shares Local Storage on Dedicated Server configured with USU standards Google Drive/Apps (USU accounts - not supported) Microsoft OneDrive/Office365 (USU accounts) Prohibited Storage Locations Dropbox Portable Devices Digital Commons (Library Repository) ▪ Logical access controls are required to limit unauthorized use ▪ Physical access restricted to specific groups |
▪ Encryption is not required
▪ Logical access controls are required to limit unauthorized use
|
Mobile Devices |
▪ Encryption is required ▪ Remote wipe must be enabled, if possible |
▪ Encryption is recommended ▪ Remote wipe must be enabled, if possible |
No special requirements |
Data Collection (online survey, forms, etc.) |
▪ Encryption and Privacy Notice are required |
▪ Encryption is recommended ▪ Privacy Notice is required |
No special requirements |
Handling Controls |
Restricted |
Confidential |
Public |
Email * |
▪ Encryption is required Note: Email is not encrypted by default, encryption must be added ▪ Do not forward |
▪ Encryption is required Note: Email is not encrypted by default, encryption must be added ▪ Do not forward |
No special requirements |
Physical Mail |
▪ Mark “Open by Addressee Only” ▪ Use “Certified Mail” and sealed, tamper- resistant envelopes for external mailings ▪ Delivery confirmation is required ▪ Hand deliver internally |
▪ Mark “Open by Addressee Only” ▪ Use “Certified Mail” and sealed, tamper- resistant envelopes for external mailings ▪ Delivery confirmation is required ▪ Hand delivering is recommended over interoffice mail |
No special requirements |
Printer/Scanner * |
▪ Verify destination printer ▪ Attend printer while printing If printer/scanner has memory, ensure the sensitive data is deleted. |
▪ Verify destination printer ▪ Attend printer while printing If printer/scanner has memory, ensure the sensitive data is deleted. |
No special requirements |
Web Sites |
▪ Posting to internal sites is prohibited. ▪ Posting to Internet sites is prohibited. |
▪ Posting to publicly-accessible Internet sites is prohibited. |
No special requirements |
Telephone |
▪ Confirm participants on the call line ▪ Ensure private location |
▪ Confirm participants on the call line ▪ Ensure private location |
No special requirements |
Video / Web Conference Call |
▪ Pre-approve roster of attendees ▪ Confirm participants on the call line ▪ Ensure private location |
▪ Pre-approve roster of attendees ▪ Confirm participants on the call line ▪ Ensure private location |
No special requirements |
Fax |
▪ Attend receiving fax machine ▪ Verify destination number ▪ Confirm receipt ▪ Do not fax outside University without management approval |
▪ Attend receiving fax machine ▪ Verify destination number ▪ Do not fax outside University without management approval |
No special requirements |
Paper, Film/Video, Microfiche |
▪ Return to owner for destruction ▪ Owner personally verifies destruction through shredding or secure receptacle for future shredding |
▪ Shred or delete all documents or place in secure receptacle for future |
No special requirements |
Storage Media |
▪ Physically destroy the hard drives and media ▪ Requires use of University-approved vendor for destruction |
▪ Physically destroy the hard drives and media or use commercial overwrite software to destroy the data on the media (quick reformat of the media is not sufficient) |
▪ Physically destroy the hard drives and media or use commercial overwrite software to destroy the data on the media |
* If an email originates from outside of Box, Box is unable to provide encryption prior to the content entering Box. Therefore, using the “Upload by Email” feature in Box (for either the email application or a printer/scanner) is not a secure process unless the TLS encryption is enabled or an API is used.