Detailed information about what types of data are allowed to be stored in different types of systems.
Detailed Information
University protected data is classified in accordance with the Data Classification APL (APL VI-I). Based on regulatory guidance, the Information Security Standards (under the Board Policy), specify required controls on systems based on classifications. Supplementing regulatory requirements, local directives inform our decisions to include Credit/Debit Card Standards APL (APL IV-F), the HIPAA Policy, and the FERPA Procedure APL (APL X-F) Following University Purchasing Procedures APL (APL VII-A), vendor assessments are conducted on third-party cloud-based systems which inform the type and classification of data that can be stored on respective vendors systems. In keeping with the Employee Protection of Data APL (APL VI-C), the following charts can be used to determine what systems can be used for storing various data types.
Confidential And Restricted Data
Data Types by Data Storage System
Data Storage Systems
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
UMS OneDrive |
Yes |
No |
No |
No |
No |
No |
|
UMS SharePoint |
Yes |
Yes |
Yes |
Yes |
No |
No |
If HIPAA desired, contact Information Security Office |
UMS Google Drive |
Yes |
No |
No |
No |
No |
No |
|
UMS Google Shared Drive |
Yes |
Yes |
Yes |
Yes |
No |
|
|
UMS:IT Secure Server |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
|
UMS:IT Servers |
Yes |
No |
No |
No |
No |
No |
|
Box, Dropbox, or Other (Consumer - Not UMS-Contracted) |
No |
No |
No |
No |
No |
No |
|
Data Types by User Controlled System
User Controlled Systems
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
End User Device (not encrypted) |
Yes |
Conditional |
Conditional |
Conditional |
No |
No |
All laptops are required to be encrypted. Requests should be made to encrypt desktops |
Encrypted End User Device (except cell phones) |
Yes |
Yes |
Yes |
Yes |
Conditional |
Conditional |
HIPAA only when approved by the Information Security Office
PCI processed only on systems approved by Information Security Office. PCI never to be stored on University systems
|
Encrypted University Cell Phones |
Yes |
No |
No |
No |
No |
No |
|
Non-UMS Devices |
Conditional |
No |
No |
No |
No |
No |
By faculty. Student data for current courses only. |
Removable Media |
Yes |
No |
No |
No |
No |
No |
|
Encrypted & Controlled Media |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
|
Data Types by Onsite Processing System
Processing Systems - Onsite
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
MaineStreet |
Yes |
Yes |
Yes |
Yes |
Conditional |
No |
Only when approved by the Information Security Office |
ImageNow |
Yes |
Yes |
Yes |
Yes |
No |
No |
|
Titanium |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Advance - Advancement |
Yes |
No |
No |
No |
No |
No |
|
Jira - IT Ticketing System |
Conditional |
No |
Conditional |
No |
No |
No |
Limit data in Jira based on audience
Financial aid in Jira is limited to Financial Aid Office's private queues
|
Papercut and Xerox Printers |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Use caution to collect printouts quickly without others seeing content |
Data Types by Cloud Based Processing System
Processing Systems - Cloud
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
GMail |
Yes |
Conditional |
Conditional |
Conditional |
No |
No |
Minimize exchange of data. Limit to maine.edu-to-maine.edu. |
Zoom |
Yes |
Yes |
Yes |
No |
No |
No |
|
Zoom for HIPAA |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
|
BrightSpace |
Yes |
No |
No |
No |
No |
No |
|
Kaltura |
Yes |
No |
No |
No |
No |
No |
|
Respondus |
Yes |
No |
No |
No |
No |
No |
|
Turnitin |
Yes |
No |
No |
No |
No |
No |
|
MaineStreet Marketplace Jaggaer/Sciquest |
Yes |
Conditional |
No |
No |
No |
No |
SSNs restricted to vendor tax identification information |
Blackboard Transact |
Yes |
Yes |
No |
No |
No |
Conditional |
PCI processed only on systems approved by Information Security Office. PCI never stored on University systems |
Touchnet |
Yes |
No |
Yes |
No |
No |
Yes |
|
Maxient |
Yes |
No |
No |
Yes |
No |
No |
|
Explorance Blue |
Yes |
No |
No |
No |
No |
No |
|
Canusia - Early College |
Yes |
No |
No |
No |
No |
No |
|
TargetX & Salesforce CRM |
Yes |
No |
No |
No |
No |
No |
|
Compansol Blumen Online - Trio |
Yes |
Yes |
Yes |
No |
No |
No |
|
CollegeNET - Room Scheduling |
Yes |
No |
Yes |
No |
No |
No |
|
UC Innovations - Advancement CRM |
Yes |
No |
No |
No |
No |
No |
|
LifeRay Portal System |
Yes |
No |
No |
No |
No |
No |
|
Power BI |
Yes |
Yes |
Yes |
Yes |
No |
No |
|
Team Dynamix -IT Service Mgmt |
Yes |
Conditional |
No |
No |
No |
No |
Only when approved by the Information Security Office |
Docusign |
Yes |
Yes |
Yes |
Yes |
No |
No |
|
Adobe Sign |
Yes |
Yes |
Yes |
Yes |
No |
No |
|
Confluence - IT Documentation System |
No |
No |
No |
No |
No |
No |
|
Qualtics |
Yes |
No |
No |
Yes |
Conditional |
No |
Requires a Business Associate Agreement (BAA) and extra licensing cost. |
Medicat |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Student Health Brokerage |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Aon Medicare exchange |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Cigna - Med Pharm, Behavioral Health & EAP |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Omade Diabetes Prevention |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Add-ins, Add-ons, and Apps |
Conditional |
No |
No |
No |
No |
No |
Should not be used to process FERPA Data and not on systems with Restricted Data. See Knowledge-Base article: "Can I use Add-ins, Add-ons, and Apps?" |
High-risk Restricted Data
Data Types by Data Storage System
Data Storage Systems
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
UMS OneDrive |
No |
Conditional |
No |
Only supported GCC High Environment |
UMS SharePoint |
No |
Conditional |
No |
Only supported GCC High Environment |
UMS Google Drive |
No |
No |
No |
|
UMS:IT Secure Server |
No |
Conditional |
Conditional |
Only on CUI Enclave, or TCP-specified systems |
UMS:IT Servers |
No |
No |
No |
|
Box, Dropbox, or Other (Consumer - Not UMS-Contracted) |
No |
No |
No |
|
Data Types by User Controlled System
User Controlled Systems
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
End User Device (not encrypted) |
No |
No |
No |
All laptops are required to be encrypted. Requests should be made to encrypt desktops |
Encrypted End User Device |
Conditional |
Conditional |
Conditional |
Only when approved by the Information Security Office
|
Non-UMS Devices |
No |
No |
No |
|
Removable Media |
No |
No |
No |
|
Encrypted & Controlled Media |
Yes |
No |
Yes |
|
Data Types by Onsite Processing Systems
Processing Systems - Onsite
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
MaineStreet |
No |
No |
No |
|
ImageNow |
No |
No |
No |
|
Titanium |
No |
No |
No |
|
Advance - Advancement |
No |
No |
No |
|
Jira - IT Ticketing System |
No |
No |
No |
|
Data Types by Cloud based Processing System
Processing Systems - Cloud
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
GMail |
No |
No |
No |
|
Zoom |
No |
No |
No |
|
Zoom for HIPAA |
No |
No |
No |
|
BrightSpace |
No |
No |
No |
|
Kaltura |
No |
No |
No |
|
Respondus |
No |
No |
No |
|
Turnitin |
No |
No |
No |
|
MaineStreet Marketplace Jaggaer/Sciquest |
No |
No |
No |
|
Blackboard Transact |
No |
No |
No |
|
Touchnet |
No |
No |
No |
|
Maxient |
No |
No |
No |
|
Canusia - Early College |
No |
No |
No |
|
TargetX & Salesforce CRM |
No |
No |
No |
|
Compansol Blumen Online - Trio |
No |
No |
No |
|
CollegeNET - Room Scheduling |
No |
No |
No |
|
UC Innovations - Advancement CRM |
No |
No |
No |
|
LifeRay Portal System |
No |
No |
No |
|
Power BI |
No |
No |
No |
|
Team Dynamix -IT Service Mgmt |
No |
No |
No |
|
Docusign |
No |
No |
No |
|
Adobe Sign |
No |
No |
No |
|
Confluence - IT Documentation System |
No |
No |
No |
|
Qualtics |
No |
No |
No |
|
Medicat |
No |
No |
No |
|
Student Health Brokerage |
No |
No |
No |
|
Aon Medicare exchange |
No |
No |
No |
|
Cigna - Med Pharm, Behavioral Health & EAP |
No |
No |
No |
|
Omade Diabetes Prevention |
No |
No |
No |
|
Add-ins, Add-ons, and Apps |
No |
No |
No |
|
Environment
- UMS Computing and storage