Permitted and Restricted Systems for Data Storage and Data Processing

Detailed information about what types of data are allowed to be stored in different types of systems.

 

Detailed Information

University protected data is classified in accordance with the Data Classification APL (APL VI-I).  Based on regulatory guidance, the Information Security Standards (under the Board Policy), specify required controls on systems based on classifications.  Supplementing regulatory requirements, local directives inform our decisions to include Credit/Debit Card Standards APL (APL IV-F), the HIPAA Policy, and the FERPA Procedure APL (APL X-F) Following University Purchasing Procedures APL (APL VII-A), vendor assessments are conducted on third-party cloud-based systems which inform the type and classification of data that can be stored on respective vendors systems. In keeping with the Employee Protection of Data APL (APL VI-C), the following charts can be used to determine what systems can be used for storing various data types.

 

Confidential And Restricted Data

Data Types by Data Storage System

Data Storage Systems

Student Records except SSNs (FERPA) National & State IDs (SSN, DL#) (MDA*) Student Financial Aid Data (GLBA) Health Information (Non-HIPAA) Protected Health Information (HIPAA) Payment Card Information (PCI)

Conditions

UMS OneDrive Yes No No No No No  
UMS SharePoint Yes Yes Yes Yes No No If HIPAA desired, contact Information Security Office
UMS Google Drive Yes No No No No No  
UMS Google Shared Drive Yes Yes Yes Yes No    
UMS:IT Secure Server Yes Yes Yes Yes Yes No  
UMS:IT Servers Yes No No No No No  
Box, Dropbox, or Other (Consumer - Not UMS-Contracted) No No No No No No  

Data Types by User Controlled System

User Controlled Systems

Student Records except SSNs (FERPA) National & State IDs (SSN, DL#) (MDA*) Student Financial Aid Data (GLBA) Health Information (Non-HIPAA) Protected Health Information (HIPAA) Payment Card Information (PCI)

Conditions

End User Device (not encrypted)  Yes Conditional Conditional Conditional No No All laptops are required to be encrypted. Requests should be made to encrypt desktops
Encrypted End User Device (except cell phones) Yes Yes Yes Yes Conditional Conditional

HIPAA only when approved by the Information Security Office

PCI processed only on systems approved by Information Security Office.  PCI never to be stored on University systems

Encrypted University Cell Phones Yes No No No No No  
Non-UMS Devices Conditional No No No No No By faculty. Student data for current courses only.
Removable Media Yes No No No No No  
Encrypted & Controlled Media Yes Yes Yes Yes Yes No  

Data Types by Onsite Processing System

Processing Systems - Onsite

Student Records except SSNs (FERPA) National & State IDs (SSN, DL#) (MDA*) Student Financial Aid Data (GLBA) Health Information (Non-HIPAA) Protected Health Information (HIPAA) Payment Card Information (PCI)

Conditions

MaineStreet Yes Yes Yes Yes Conditional No Only when approved by the Information Security Office
ImageNow Yes Yes Yes Yes No No  
Titanium Yes Yes No Yes Yes No  
Advance - Advancement Yes No No No No No  
Jira - IT Ticketing System Conditional No Conditional No No No

Limit data in Jira based on audience 

Financial aid in Jira is limited to Financial Aid Office's private queues

Papercut and Xerox Printers Yes Yes Yes Yes Yes No Use caution to collect printouts quickly without others seeing content

Data Types by Cloud Based Processing System

Processing Systems - Cloud

Student Records except SSNs (FERPA) National & State IDs (SSN, DL#) (MDA*) Student Financial Aid Data (GLBA) Health Information (Non-HIPAA) Protected Health Information (HIPAA) Payment Card Information (PCI)

Conditions

GMail Yes Conditional Conditional Conditional No No Minimize exchange of data. Limit to maine.edu-to-maine.edu.
Zoom Yes Yes Yes No No No  
Zoom for HIPAA Yes Yes Yes Yes Yes No  
BrightSpace Yes No No No No No  
Kaltura Yes No No No No No  
Respondus Yes No No No No No  
Turnitin Yes No No No No No  
MaineStreet Marketplace Jaggaer/Sciquest Yes Conditional No No No No SSNs restricted to vendor tax identification information
Blackboard Transact  Yes Yes No No No Conditional PCI processed only on systems approved by Information Security Office.  PCI never stored on University systems
Touchnet Yes No Yes No No Yes  
Maxient Yes No No Yes No No  
Explorance Blue Yes No No No No No  
Canusia - Early College Yes No No No No No  
TargetX & Salesforce CRM Yes No No No No No  
Compansol Blumen Online - Trio Yes Yes Yes No No No  
CollegeNET - Room Scheduling Yes No Yes No No No  
UC Innovations - Advancement CRM Yes No No No No No  
LifeRay Portal System Yes No No No No No  
Power BI Yes Yes Yes Yes No No  
Team Dynamix -IT Service Mgmt Yes Conditional No No No No Only when approved by the Information Security Office
Docusign Yes Yes Yes Yes No No  
Adobe Sign Yes Yes Yes Yes No No  
Confluence - IT Documentation System No No No No No No  
Qualtics Yes No No Yes Conditional No Requires a Business Associate Agreement (BAA) and extra licensing cost.
Medicat Yes Yes No Yes Yes No  
Student Health Brokerage  Yes Yes No Yes Yes No  
Aon Medicare exchange  Yes Yes No Yes Yes No  
Cigna - Med Pharm, Behavioral Health & EAP  Yes Yes No Yes Yes No  
Omade Diabetes Prevention  Yes Yes No Yes Yes No  
Add-ins, Add-ons, and Apps Conditional No No No No No Should not be used to process FERPA Data and not on systems with Restricted Data. See Knowledge-Base article: "Can I use Add-ins, Add-ons, and Apps?"

 

High-risk Restricted Data

Data Types by Data Storage System

Data Storage Systems

Criminal Justice Information (CJIS) Covered Defense Information Export Control Research (ITAR/EAR)

Conditions

UMS OneDrive No Conditional No Only supported GCC High Environment
UMS SharePoint No Conditional No Only supported GCC High Environment
UMS Google Drive No No No  
UMS:IT Secure Server No Conditional Conditional Only on CUI Enclave, or TCP-specified systems
UMS:IT Servers No No No  
Box, Dropbox, or Other (Consumer - Not UMS-Contracted) No No No  

 

Data Types by User Controlled System

User Controlled Systems
Criminal Justice Information (CJIS) Covered Defense Information Export Control Research (ITAR/EAR)
Conditions
End User Device (not encrypted) No No No All laptops are required to be encrypted. Requests should be made to encrypt desktops
Encrypted End User Device Conditional Conditional Conditional

Only when approved by the Information Security Office

 

Non-UMS Devices No No No  
Removable Media No No No  
Encrypted & Controlled Media Yes No Yes  

Data Types by Onsite Processing Systems

Processing Systems - Onsite
Criminal Justice Information (CJIS) Covered Defense Information Export Control Research (ITAR/EAR)
Conditions
MaineStreet No No No  
ImageNow No No No  
Titanium No No No  
Advance - Advancement No No No  
Jira - IT Ticketing System No No No

 

 

Data Types by Cloud based Processing System

Processing Systems - Cloud
Criminal Justice Information (CJIS) Covered Defense Information Export Control Research (ITAR/EAR)
Conditions
GMail No No No  
Zoom No No No  
Zoom for HIPAA No No No  
BrightSpace No No No  
Kaltura No No No  
Respondus No No No  
Turnitin No No No  
MaineStreet Marketplace Jaggaer/Sciquest No No No  
Blackboard Transact  No No No  
Touchnet No No No  
Maxient No No No  
Canusia - Early College No No No  
TargetX & Salesforce CRM No No No  
Compansol Blumen Online - Trio No No No  
CollegeNET - Room Scheduling No No No  
UC Innovations - Advancement CRM No No No  
LifeRay Portal System No No No  
Power BI No No No  
Team Dynamix -IT Service Mgmt No No No  
Docusign No No No  
Adobe Sign No No No  
Confluence - IT Documentation System No No No  
Qualtics No No No  
Medicat No No No  
Student Health Brokerage  No No No  
Aon Medicare exchange  No No No  
Cigna - Med Pharm, Behavioral Health & EAP  No No No  
Omade Diabetes Prevention  No No No  
Add-ins, Add-ons, and Apps No No No  

 

Environment

  • UMS Computing and storage
57% helpful - 7 reviews
Print Article

Related Articles (1)

Feature comparison of file storage options.