Detailed information about what types of data are allowed to be stored in different types of systems.
Detailed Information
University protected data is classified in accordance with the Data Classification APL (APL VI-I). Based on regulatory guidance, the Information Security Standards (under the Board Policy), specify required controls on systems based on classifications. Supplementing regulatory requirements, local directives inform our decisions to include Credit/Debit Card Standards APL (APL IV-F), the HIPAA Policy, and the FERPA Procedure APL (APL X-F) Following University Purchasing Procedures APL (APL VII-A), vendor assessments are conducted on third-party cloud-based systems which inform the type and classification of data that can be stored on respective vendors systems. In keeping with the Employee Protection of Data APL (APL VI-C), the following charts can be used to determine what systems can be used for storing various data types.
Confidential And Restricted Data
Data Types by Data Storage System
Data Storage Systems
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
UMS OneDrive |
Yes |
No |
No |
No |
No |
No |
|
UMS SharePoint |
Yes |
Yes |
Yes |
Yes |
Conditional |
No |
Only when approved by the Information Security Office |
UMS Google Drive |
Yes |
Conditional |
No |
No |
No |
No |
Only when approved by the Information Security Office |
US:IT Secure Server |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
|
US:IT Servers |
Yes |
No |
No |
No |
No |
No |
|
Box, Dropbox, or Other (Consumer - Not UMS-Contracted) |
No |
No |
No |
No |
No |
No |
|
Data Types by User Controlled System
User Controlled Systems
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
End User Device (not encrypted) |
Yes |
Conditional |
Conditional |
Conditional |
No |
No |
All laptops are required to be encrypted. Requests should be made to encrypt desktops |
Encrypted End User Device |
Yes |
Yes |
Yes |
Yes |
Conditional |
Conditional |
Only when approved by the Information Security Office
PCI processed only on systems approved by Information Security Office. PCI never stored on University systems
|
Non-UMS Devices |
Conditional |
No |
No |
No |
No |
No |
By faculty. Student data for current courses only. |
Removable Media |
Yes |
No |
No |
No |
No |
No |
|
Encrypted & Controlled Media |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
|
Data Types by Onsite Processing System
Processing Systems - Onsite
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
MaineStreet |
Yes |
Yes |
Yes |
Yes |
Conditional |
No |
Only when approved by the Information Security Office |
ImageNow |
Yes |
Yes |
Yes |
Yes |
No |
No |
|
Titanium |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Advance - Advancement |
Yes |
No |
No |
No |
No |
No |
|
Jira - IT Ticketing System |
Conditional |
No |
Conditional |
No |
No |
No |
Limit data in Jira based on audience
Financial aid in Jira is limited to Financial Aid Office's private queues
|
Data Types by Cloud Based Processing System
Processing Systems - Cloud
|
Student Records except SSNs (FERPA) |
National & State IDs (SSN, DL#) (MDA*) |
Student Financial Aid Data (GLBA) |
Health Information (Non-HIPAA) |
Protected Health Information (HIPAA) |
Payment Card Information (PCI) |
Conditions
|
GMail |
Yes |
No |
Conditional |
Conditional |
No |
No |
Minimize exchange of data. Limit to maine.edu-to-maine.edu. |
Zoom |
Yes |
Yes |
Yes |
No |
No |
No |
|
Zoom for HIPAA |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
|
BrightSpace |
Yes |
No |
No |
No |
No |
No |
|
Kaltura |
Yes |
No |
No |
No |
No |
No |
|
Respondus |
Yes |
No |
No |
No |
No |
No |
|
Turnitin |
Yes |
No |
No |
No |
No |
No |
|
MaineStreet Marketplace Jaggaer/Sciquest |
Yes |
Conditional |
No |
No |
No |
No |
SSNs restricted to vendor tax identification information |
Blackboard Transact |
Yes |
Yes |
No |
No |
No |
Conditional |
PCI processed only on systems approved by Information Security Office. PCI never stored on University systems |
Touchnet |
Yes |
No |
Yes |
No |
No |
Yes |
|
Maxient |
Yes |
No |
No |
Yes |
No |
No |
|
Explorance Blue |
Yes |
No |
No |
No |
No |
No |
|
Canusia - Early College |
Yes |
No |
No |
No |
No |
No |
|
TargetX & Salesforce CRM |
Yes |
No |
No |
No |
No |
No |
|
Compansol Blumen Online - Trio |
Yes |
Yes |
Yes |
No |
No |
No |
|
CollegeNET - Room Scheduling |
Yes |
No |
Yes |
No |
No |
No |
|
UC Innovations - Advancement CRM |
Yes |
No |
No |
No |
No |
No |
|
LifeRay Portal System |
Yes |
No |
No |
No |
No |
No |
|
Power BI |
Yes |
Yes |
Yes |
Yes |
No |
No |
|
Team Dynamix -IT Service Mgmt |
Yes |
Conditional |
No |
No |
No |
No |
Only when approved by the Information Security Office |
Confluence - IT Documentation System |
No |
No |
No |
No |
No |
No |
|
Qualtics |
Yes |
No |
No |
Yes |
Conditional |
No |
Requires a Business Associate Agreement (BAA) and extra licensing cost. |
Medicat |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Student Health Brokerage |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Aon Medicare exchange |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Cigna - Med Pharm, Behavioral Health & EAP |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Omade Diabetes Prevention |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
High-risk Restricted Data
Data Types by Data Storage System
Data Storage Systems
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
UMS OneDrive |
No |
No |
No |
|
UMS SharePoint |
No |
No |
No |
|
UMS Google Drive |
No |
No |
No |
|
US:IT Secure Server |
No |
Conditional |
Conditional |
Only on CUI Enclave, or TCP-specified systems |
US:IT Servers |
No |
No |
No |
|
Box, Dropbox, or Other (Consumer - Not UMS-Contracted) |
No |
No |
No |
|
Data Types by User Controlled System
User Controlled Systems
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
End User Device (not encrypted) |
No |
No |
No |
All laptops are required to be encrypted. Requests should be made to encrypt desktops |
Encrypted End User Device |
Conditional |
Conditional |
Conditional |
Only when approved by the Information Security Office
|
Non-UMS Devices |
No |
No |
No |
|
Removable Media |
No |
No |
No |
|
Encrypted & Controlled Media |
Yes |
No |
Yes |
|
Data Types by Onsite Processing Systems
Processing Systems - Onsite
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
MaineStreet |
No |
No |
No |
|
ImageNow |
No |
No |
No |
|
Titanium |
No |
No |
No |
|
Advance - Advancement |
No |
No |
No |
|
Jira - IT Ticketing System |
No |
No |
No |
|
Data Types by Cloud based Processing System
Processing Systems - Cloud
|
Criminal Justice Information (CJIS) |
Covered Defense Information |
Export Control Research (ITAR/EAR) |
Conditions
|
GMail |
No |
No |
No |
|
Zoom |
No |
No |
No |
|
Zoom for HIPAA |
No |
No |
No |
|
BrightSpace |
No |
No |
No |
|
Kaltura |
No |
No |
No |
|
Respondus |
No |
No |
No |
|
Turnitin |
No |
No |
No |
|
MaineStreet Marketplace Jaggaer/Sciquest |
No |
No |
No |
|
Blackboard Transact |
No |
No |
No |
|
Touchnet |
No |
No |
No |
|
Maxient |
No |
No |
No |
|
Canusia - Early College |
No |
No |
No |
|
TargetX & Salesforce CRM |
No |
No |
No |
|
Compansol Blumen Online - Trio |
No |
No |
No |
|
CollegeNET - Room Scheduling |
No |
No |
No |
|
UC Innovations - Advancement CRM |
No |
No |
No |
|
LifeRay Portal System |
No |
No |
No |
|
Power BI |
No |
No |
No |
|
Team Dynamix -IT Service Mgmt |
No |
No |
No |
|
Confluence - IT Documentation System |
No |
No |
No |
|
Qualtics |
No |
No |
No |
|
Medicat |
No |
No |
No |
|
Student Health Brokerage |
No |
No |
No |
|
Aon Medicare exchange |
No |
No |
No |
|
Cigna - Med Pharm, Behavioral Health & EAP |
No |
No |
No |
|
Omade Diabetes Prevention |
No |
No |
No |
|
Environment
- UMS Computing and storage