Sensitive Data Storage

Sensitive Data Storage

SENSITIVE DATA STORAGE

Sensitive Data Storage Best Practices

As an employee of SDSU, you are responsible for all university data that is sent, stored, or shared on all personal or university-owned devices that you use. Part of this responsibility includes choosing appropriate technology to manage and store the data, some of which may be confidential or restricted.
We have multiple options for data storage — from University servers to cloud-based services — but not all options are appropriate for all types of data. To help you choose the proper solutions for your university data, we've developed a matrix that outlines what can be stored where.

Google Shared Drive Data Security Plan

Preparing a Google Shared Drive Data Security Plan is recommended for users who would like to store protected level data on Google Shared Drive. The goals of the form are the following:
  • Provide details of what PL1 - Confidential data will be stored on Google Drive.
  • Document access, roles, permissions, and configuration.
  • Ensure that baseline security requirements provided by the IT Security Office are implemented.
If you are a faculty or staff sponsor that would like to request storage of PL1 - Confidential data Google Shared Drive, the following steps are recommended:
  1. Create a copy of the Google Shared Drive Data Security Plan template for your use.
  2. Work with your Department IT to prepare a Google Shared Drive Data Security Plan.
  3. Create a ServiceNow ticket and assign to the IT-ITSO-Help Desk for review.
  4. Gather the applicable signatures on the completed Google Shared Drive Data Security Plan. The completed Google Drive Data Security Plan will be routed via AdobeSign with signatures from: 1) Staff, Faculty Sponsor, or Primary Investigator; 2) IT Lead, Manager, or Representative; 3) ITSO; and 4) the Institutional Review Board (IRB), which is only applicable if the data involves human subject research.  The signed electronic copies will be retained by ITSO. 
  5. Request creation of Google Shared Drive on ServiceNow. Shared Drive creation is subject to approval by IT User Services.

Sensitive Data Storage Classification

Information in the matrix below applies only to SDSU enterprise versions of the services. SDSU Data must never be stored in a consumer personal Gmail account (e.g., jdoe@gmail.com).

The CSU Information Security Data Classification Standard provides three levels of data classification regarding the level of security placed on the particular types of information assets. This list below is not exhaustive and should only be used as a reference for purposes of data protection. Data protection is the implementation of administrative, technical, or physical measures to guard against unauthorized access to data. 

Protected Level 1 (PL-1 Confidential)

  • HIPAA: ePHI, Personal Health Records, Health Insurance Data
  • Personally Identifiable Information (PII): Name with Personally Identifiable Information SSN, Passport, Visa, etc.
  • Gramm-Leach-Bliley Act (GLBA): Name with Financial Information, Bank Accounts, Tax Returns, etc.
  • Payment Card Industry Data Security Standard (PCI-DSS): Payment card information, Credit Card Numbers, Bank Account and Routing Numbers.
  • Law Enforcement Records: Name with Driver’s License, Criminal Background.
  • Campus Access Credentials: Passwords or credentials that grant access to level 1 and level 2 data.

Protected Level 2 (PL-2 Internal Use)

  • FERPA: Student Information: Educational Records not defined as directory” information, typically: Grades, Courses taken, Schedule, Test Scores, Advising records, Educational services received, Disciplinary actions, Student photo.
  • Campus Financials.
  • Campus Attorney-client communication.
  • Employee Information: Name with: Home Address, Home Phone, Personal Email, Marital Status, Gender, Evaluation, Personnel Actions

Protected Level 3 (PL-3 General)

  • Information publically available Publications Web: The information which may be designated as publically available and/or intended to be provided to the public

How to interpret the Matrix

  Use Permitted: There are no technical, policy or contractual issues that prohibit the storing and sharing of this data type with appropriate intended users using this service. If you have questions about who you can share data with, contact the data owner.

 Use Restricted: Use of this service with the regulated data type is restricted and special approval and additional controls are needed. Please contact the IT Security Office at security@sdsu.edu for more information.

 Use Prohibited: Use of this service with the regulated data type is prohibited. Do not use this service to send, store or share the regulated data type.

Sensitive Data Storage Matrix


NOTES
  • The Regulated Data Storage Matrix does not necessarily apply to data associated with faculty research. Research data that involves regulated data should have a Data Management Plan and should fulfill the security requirements of the granting agency as well as the policies and standards of SDSU.
  • The Regulated Data Storage Matrix only indicates if appropriate technical safeguards and contractual protections are in place for storing or sharing regulated or confidential data using a particular technology.
    • Related Articles

    • Google Drive: How to add a file to Drive

      We're going to walk through how to move documents from Google Docs and Word to your Google Drive labeled "My Drive". Throughout this instructional there will be mention of Drive for Desktop, a piece of software that is used for Google Drive where ...
    • How to Share Files/Folders

      Drive: How to Share Files/Folders *Same process for Files and Folders* Open Google Drive. Navigate to Folder or File. "Right click” or “Control click” folder or file.  Click Share. A. Enter the names, email addresses, or Google Groups you want to ...
    • Accessing Drive for Desktop

      Google Drive File Stream User Guide Google Drive File Stream is a desktop application that allows you to quickly access all of your Google Drive files on demand, directly from your computer without losing precious drive space. With Google Drive File ...
    • Google Drive for Desktop (Formerly File Stream) : Install and Sync

      What is Drive for Desktop? Drive for Desktop is an application that allows you to quickly access all of your Google Drive files on demand, directly from your computer without losing precious drive space. Your files are stored on the cloud instead of ...
    • How to Stop Sharing Files/Folders

      Drive: How to Stop Sharing Files/Folders 1. Open Google Drive  2. Navigate to shared Folder or File , right click and select share 3. A menu will allow you to view who has access to these files/folders  4. On the right hand side there is a dropdown ...