I. PURPOSE
The purpose of this document is to provide guidance for protecting University information resources from unauthorized access or disclosure. The goal is to assure that every member of the UNC Pembroke community can identify non-public data and follow appropriate security precautions to protect the data so as to avoid compromising the privacy rights of others or UNC Pembroke’s institutional rights or obligations.
II. SCOPE
This guideline applies to UNC Pembroke faculty, staff, students, associates, affiliates, contractors, volunteers, or visitors accessing University owned or managed data, in physical or electronic format.
III. CONTACTS
Direct any questions about this guideline to helpdesk@uncp.edu and your request will be routed appropriately.
IV. DATA CLASSIFICATION LEVELS
Every member of the UNC Pembroke community should be able to identify the appropriate classification level of any data they are accessing or maintaining in electronic or physical form.
Data classification levels range from Level 0 (public) to Level 3 (highly restricted). Any data other than Level 0 data is considered to be non-public data. The four classification levels are:
Level 0 - Public
- University data that is purposefully made available to the public.
- Disclosure of Level 0 data requires no authorization and may be freely disseminated without potential harm to the University.
Public data includes, but is not limited to: advertising, product and service information, directory listings, published research, presentations or papers, job postings, press releases.
Level 1 - Internal
- University owned or managed data that includes information that is not openly shared with the general public but is not specifically required to be protected by statute or regulation.
- Unauthorized disclosure would not result in direct financial loss or any legal, contractual, or regulatory violations, but might otherwise adversely impact the University, individuals, or affiliates.
- Level 1 data is intended for use by a designated workgroup, department, or group of individuals within the University.
Note: While some forms of internal data can be made available to the public, the data is not freely disseminated without appropriate authorization.
Internal data includes, but is not limited to: budget and salary information, personal cell phone numbers, departmental policies and procedures, internal memos, incomplete or unpublished research.
Level 2 - Confidential/Sensitive
- University owned or managed data that is confidential business or personal information for which unauthorized disclosure could have a serious adverse impact on the University, individuals or affiliates.
- Level 2 data is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data.
- There are often general statutory, regulatory or contractual requirements that require protection of the data.
- Regulations and laws that affect data in Level 2 include, but are not limited to, the Family Educational Rights & Privacy Act (FERPA), the State Human Resources Act (SHRA), and the Gramm-Leach-Bliley Act (GLBA).
Confidential/sensitive data includes, but is not limited to: student data that is not designated as directory information, passport data, personal financial information, certain research data (e.g., proprietary or otherwise protected), personally identifiable information (PII) such as name, birthdate, address, employee or student ID, etc. where the information is held in combination and could lead to identity theft or other misuse.
Level 3 - Highly Restricted
- University owned or managed data that is highly restricted business or personal information, for which unauthorized disclosure would result in significant financial loss to the University, impair its ability to conduct business, or result in a violation of contractual agreements or federal or state laws or regulations.
- Level 3 data is intended for very limited use and must not be disclosed except to those who have explicit authorization to view or use the data.
- There are often governing statutes, regulations, standards, or agreements with specific provisions that dictate how this type of data must be protected.
- Regulations and laws that affect Level 3 data include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
Highly restricted data includes, but is not limited to: Social Security Numbers, payment card numbers, medical records, restricted information protected by nondisclosure agreements, restricted research data.
V. GUIDELINES FOR APPROPRIATE DATA HANDLING
Whether data is downloaded from a system or application within UNC Pembroke’s protected infrastructure or acquired by some other means, individuals must ensure that the security of the data is protected appropriate to the level of its classification.
Level 3 Data
Due to its restricted nature, level 3 data requires special handling. Some units may handle level 3 data as part of their business processes; however, that data should not be exported or stored outside of its secured location without express permission of the data or system owner.
NOTE: While a limited number of enterprise applications hold highly restricted level 3 data, access to this data is tightly controlled via specific permissions and management authorization. If unsure whether your business data may be stored in one of these systems, direct your inquiry to helpdesk@uncp.edu and your request will be routed appropriately.
Research Data
Research data is typically highly sensitive in nature or subject to special contractual requirements and its handling should be coordinated through the appropriate DoIT Data Security Officer at security@uncp.edu.
The following table is provided to help members of the UNC Pembroke community make decisions about appropriate data handling for classification levels 0 through 3. Data must be treated according to the highest level of sensitivity.
Service |
Level |
Comments |
---|---|---|
Active Directory - Network authentication and identification service | 1 | No level 2 or 3 data can be stored here. |
AdmissionPros - Student applications for undergraduate and graduate admissions | 3 | This application contains the highest level of sensitive data. |
Application Web Database (AWD) - UNCP custom developed identity management database | 3 | This application contains the highest level of sensitive data. |
Backup Solution | 3 | This application contains the highest level of sensitive data. |
Banner - Enterprise Resource Planning | 3 | This application contains the highest level of sensitive data. |
BraveWeb - UNCP portal | 0 | No level 1, 2, or 3 data can be stored here. |
Campus Logic - Student financial aid applications | 3 | This application contains the highest level of sensitive data. |
Canvas - Learning Management System | 2 | No level 3 data can be stored in Canvas. Level 2 data is permissible if designated viewers/recipients are authorized to view the data and no recipients are from outside the University system. |
CBORD Odyssey HMS - Student Housing Information | 2 | No level 3 data can be stored in this application. |
Confidential Network Drive | 3 | This application contains the highest level of sensitive data. |
Email - Microsoft Office 365 email for campus users | 2 | No level 3 data can be sent via email. Level 2 data is permissible if designated email recipients are authorized to view the data and no recipients’ addresses are outside the University email system. |
Kiosks - Publicly accessible kiosks and workstations | 0 | No level 1, 2, or 3 data can be stored here. |
Medicat (Nuesoft-Health Care Services Sys) - Hosted service used by Health Services for providing medical services for students | 3 | This application contains the highest level of sensitive data. |
Microsoft OneDrive and Google Drive - Cloud storage for campus users | 2 | No level 3 data can be stored here. Level 2 data can be stored here if additional security is in place such as limited access. Level 2 data should not be synced to your desktop, laptop, or mobile device. |
Network Drives (I:, J:, K:) | 2 | No level 3 data can be stored here. Level 2 data can be stored here only if additional security is in place such as limited access and/or encryption. |
Personally Owned Workstations, Laptops, Tablets, and other devices | 0 | No level 1, 2, or 3 data can be stored here. |
Public Cloud Storage Sites (i.e., non-University provided cloud storage) | 0 | No level 1, 2 or 3 data can be stored here. |
Qualtrics | 2 | No level 3 data can be stored here. |
ServiceNow - IT Service Management System | 1 | No level 2 or 3 data can be stored here. |
Touchnet - Payment provider | 3 | This application contains the highest level of sensitive data. |
UNCP webpages used for communication | 0 | No level 1, 2 or 3 data can be stored here. |
University owned portable electronic storage media, such as USB devices, CD/DVD, or external hard drives | 1 | No level 2 or 3 data can be stored here. Portable storage media must have additional security configurations in place if storing level 1 data. |
University owned workstations, laptops, tablets, and other devices | 1 | No level 2 or 3 data can be stored here. Mobile devices must have additional security configurations in place if storing level 1 data. |