Data Classification & Storage
The Division of Information Technology has a few documents (Data Storage & Media Protection Policy and Data and System Classifications Standard) outlining the security requirements for classifying and protecting data. In this page, we'll break that down into easy-to-remember terms and illustrations.
Data at Radford University is classified into three tiers, with loss of data in higher tiers causing more damage to the individual and institution. Our classifications are:
- Highly Sensitive
- Social Security Number
- Driver's License or State/Federal ID number
- Passport Number
- Credit Card/Debit Card Number or Financial Account Number
- Personal Financial Information (Tax Records, Donation/Giving Information, etc)
- Employee/Personnel Records (Pay Information, Disciplinary Records, Credentials, Attendance, Contract/Tenure, etc.)
- FERPA protected student data
- Protected Health Information (Medical or Mental History, Diagnoses, Treatment, Policy, etc.)
- Human Subject Research/Non-Public Research/Intellectual Information
- Investigative/Court Information
- Non-public Business Documents/Reports
- Controlled Unclassified Information (Other Regulated/Private/Confidential Information)
- Directory Information (see our FERPA policy for the definition of this)
- Other public information such as course listings, public releases, news articles, etc.
Storing Highly-Sensitive Data
Highly sensitive data is prohibited from being stored on any mobile device (i.e. laptop, phone, tablet, USB drive, etc.) unless the data is encrypted and an exception requested; the exception must include:
- Business needs
- Mitigating security controls
- Acceptance of risk by Agency Head or designee
All media storage devices (i.e. hard drives, USB drives, etc.) are required to be purged of all data when reassigned, salvaged or transferred to another agency.
Data Storage Locations
You can see from the table above that the only authorized location to store Highly Sensitive data is a departmental Whale share. There will be a few exceptions to that rule for dedicated systems storing HIPAA and PCI protected data, but for the most part Whale is the only location authorized to store Highly Sensitive data.
Email is not an acceptable medium to transmit Highly Sensitive data. This is because it is saved as a copy in the sender's mailbox (under Sent Items) and recipient's mailbox, so it is stored in an unauthorized location. Email is not encrypted in transit, which violates the confidentiality of the data transmitted.
To reiterate, Email is not an acceptable medium to transmit highly sensitive data.
You have options to transmit highly sensitive data depending upon its destination:
- Intra-department: Whale share would be best. Files containing highly sensitive data shouldn't be stored on workstations unless exception on file.
- Inter-department: possibly a shared Whale share if that exists, otherwise XMedius SendSecure is a good solution.
- External to Radford: XMedius SendSecure is your only secure option unless the other party provides a secure portal to upload files to.
If you have any questions or would like to talk with us, please email us at email@example.com or call the Information Security Officer at 540-831-7770.