Permitted and Restricted Systems for Data Storage and Data Processing

Body

Detailed information about what types of data are allowed to be stored in different types of systems.

Detailed Information
- Confidential And Restricted Data
- High-risk Restricted Data
Environment

Detailed Information

University protected data is classified in accordance with the Data Classification APL (APL VI-I). Based on regulatory guidance, the Information Security Standards (under the Board Policy), specify required controls on systems based on classifications. Supplementing regulatory requirements, local directives inform our decisions to include Credit/Debit Card Standards APL (APL IV-F), the HIPAA Policy, and the FERPA Procedure APL (APL X-F) Following University Purchasing Procedures APL (APL VII-A), vendor assessments are conducted on third-party cloud-based systems which inform the type and classification of data that can be stored on respective vendors systems. In keeping with the Employee Protection of Data APL (APL VI-C), the following charts can be used to determine what systems can be used for storing various data types.

Confidential And Restricted Data

Data Types by Data Storage System

Data Storage Systems	Student Records except SSNs (FERPA)	*National & State IDs (SSN, DL#) (MDA)**	Student Financial Aid Data (GLBA)	Health Information (Non-HIPAA)	Protected Health Information (HIPAA)	Payment Card Information (PCI)	Conditions
UMS OneDrive	Yes	No	No	No	No	No
UMS SharePoint	Yes	Yes	Yes	Yes	No	No	If HIPAA desired, contact Information Security Office
UMS Google Drive	Yes	No	No	No	No	No
UMS Google Shared Drive	Yes	Yes	Yes	Yes	No
UMS:IT Secure Server	Yes	Yes	Yes	Yes	Yes	No
UMS:IT Servers	Yes	No	No	No	No	No
Box, Dropbox, or Other (Consumer - Not UMS-Contracted)	No	No	No	No	No	No

Data Types by User Controlled System

User Controlled Systems	Student Records except SSNs (FERPA)	*National & State IDs (SSN, DL#) (MDA)**	Student Financial Aid Data (GLBA)	Health Information (Non-HIPAA)	Protected Health Information (HIPAA)	Payment Card Information (PCI)	Conditions
End User Device (not encrypted)	Yes	Conditional	Conditional	Conditional	No	No	All laptops are required to be encrypted. Requests should be made to encrypt desktops
Encrypted End User Device (except cell phones)	Yes	Yes	Yes	Yes	Conditional	Conditional	HIPAA only when approved by the Information Security Office PCI processed only on systems approved by Information Security Office. PCI never to be stored on University systems
Encrypted University Cell Phones	Yes	No	No	No	No	No
Non-UMS Devices	Conditional	No	No	No	No	No	By faculty. Student data for current courses only.
Removable Media	Yes	No	No	No	No	No
Encrypted & Controlled Media	Yes	Yes	Yes	Yes	Yes	No

Data Types by Onsite Processing System

Processing Systems - Onsite	Student Records except SSNs (FERPA)	*National & State IDs (SSN, DL#) (MDA)**	Student Financial Aid Data (GLBA)	Health Information (Non-HIPAA)	Protected Health Information (HIPAA)	Payment Card Information (PCI)	Conditions
MaineStreet	Yes	Yes	Yes	Yes	Conditional	No	Only when approved by the Information Security Office
ImageNow	Yes	Yes	Yes	Yes	No	No
Titanium	Yes	Yes	No	Yes	Yes	No
Advance - Advancement	Yes	No	No	No	No	No
Jira - IT Ticketing System	Conditional	No	Conditional	No	No	No	Limit data in Jira based on audience Financial aid in Jira is limited to Financial Aid Office's private queues
Papercut and Xerox Printers	Yes	Yes	Yes	Yes	Yes	No	Use caution to collect printouts quickly without others seeing content

Data Types by Cloud Based Processing System

Processing Systems - Cloud	Student Records except SSNs (FERPA)	*National & State IDs (SSN, DL#) (MDA)**	Student Financial Aid Data (GLBA)	Health Information (Non-HIPAA)	Protected Health Information (HIPAA)	Payment Card Information (PCI)	Conditions
GMail	Yes	Conditional	Conditional	Conditional	No	No	Minimize exchange of data. Limit to maine.edu-to-maine.edu.
Zoom	Yes	Yes	Yes	No	No	No
Zoom for HIPAA	Yes	Yes	Yes	Yes	Yes	No
BrightSpace	Yes	No	No	No	No	No
Kaltura	Yes	No	No	No	No	No
Respondus	Yes	No	No	No	No	No
Turnitin	Yes	No	No	No	No	No
MaineStreet Marketplace Jaggaer/Sciquest	Yes	Conditional	No	No	No	No	SSNs restricted to vendor tax identification information
Blackboard Transact	Yes	Yes	No	No	No	Conditional	PCI processed only on systems approved by Information Security Office. PCI never stored on University systems
Touchnet	Yes	No	Yes	No	No	Yes
Maxient	Yes	No	No	Yes	No	No
Explorance Blue	Yes	No	No	No	No	No
Canusia - Early College	Yes	No	No	No	No	No
TargetX & Salesforce CRM	Yes	No	No	No	No	No
Compansol Blumen Online - Trio	Yes	Yes	Yes	No	No	No
CollegeNET - Room Scheduling	Yes	No	Yes	No	No	No
UC Innovations - Advancement CRM	Yes	No	No	No	No	No
LifeRay Portal System	Yes	No	No	No	No	No
Power BI	Yes	Yes	Yes	Yes	No	No
Team Dynamix -IT Service Mgmt	Yes	Conditional	No	No	No	No	Only when approved by the Information Security Office
Docusign	Yes	Yes	Yes	Yes	No	No
Adobe Sign	Yes	Yes	Yes	Yes	No	No
Confluence - IT Documentation System	No	No	No	No	No	No
Qualtics	Yes	No	No	Yes	Conditional	No	Requires a Business Associate Agreement (BAA) and extra licensing cost.
Medicat	Yes	Yes	No	Yes	Yes	No
Student Health Brokerage	Yes	Yes	No	Yes	Yes	No
Aon Medicare exchange	Yes	Yes	No	Yes	Yes	No
Cigna - Med Pharm, Behavioral Health & EAP	Yes	Yes	No	Yes	Yes	No
Omade Diabetes Prevention	Yes	Yes	No	Yes	Yes	No
Add-ins, Add-ons, and Apps	Conditional	No	No	No	No	No	Should not be used to process FERPA Data and not on systems with Restricted Data. See Knowledge-Base article: "Can I use Add-ins, Add-ons, and Apps?"

High-risk Restricted Data

Data Types by Data Storage System

Data Storage Systems	Criminal Justice Information (CJIS)	Covered Defense Information	Export Control Research (ITAR/EAR)	Conditions
UMS OneDrive	No	Conditional	No	Only supported GCC High Environment
UMS SharePoint	No	Conditional	No	Only supported GCC High Environment
UMS Google Drive	No	No	No
UMS:IT Secure Server	No	Conditional	Conditional	Only on CUI Enclave, or TCP-specified systems
UMS:IT Servers	No	No	No
Box, Dropbox, or Other (Consumer - Not UMS-Contracted)	No	No	No

Data Types by User Controlled System

User Controlled Systems	Criminal Justice Information (CJIS)	Covered Defense Information	Export Control Research (ITAR/EAR)	Conditions
End User Device (not encrypted)	No	No	No	All laptops are required to be encrypted. Requests should be made to encrypt desktops
Encrypted End User Device	Conditional	Conditional	Conditional	Only when approved by the Information Security Office
Non-UMS Devices	No	No	No
Removable Media	No	No	No
Encrypted & Controlled Media	Yes	No	Yes

Data Types by Onsite Processing Systems

Processing Systems - Onsite	Criminal Justice Information (CJIS)	Covered Defense Information	Export Control Research (ITAR/EAR)	Conditions
MaineStreet	No	No	No
ImageNow	No	No	No
Titanium	No	No	No
Advance - Advancement	No	No	No
Jira - IT Ticketing System	No	No	No

Data Types by Cloud based Processing System

Processing Systems - Cloud	Criminal Justice Information (CJIS)	Covered Defense Information	Export Control Research (ITAR/EAR)
GMail	No	No	No
Zoom	No	No	No
Zoom for HIPAA	No	No	No
BrightSpace	No	No	No
Kaltura	No	No	No
Respondus	No	No	No
Turnitin	No	No	No
MaineStreet Marketplace Jaggaer/Sciquest	No	No	No
Blackboard Transact	No	No	No
Touchnet	No	No	No
Maxient	No	No	No
Canusia - Early College	No	No	No
TargetX & Salesforce CRM	No	No	No
Compansol Blumen Online - Trio	No	No	No
CollegeNET - Room Scheduling	No	No	No
UC Innovations - Advancement CRM	No	No	No
LifeRay Portal System	No	No	No
Power BI	No	No	No
Team Dynamix -IT Service Mgmt	No	No	No
Docusign	No	No	No
Adobe Sign	No	No	No
Confluence - IT Documentation System	No	No	No
Qualtics	No	No	No
Medicat	No	No	No
Student Health Brokerage	No	No	No
Aon Medicare exchange	No	No	No
Cigna - Med Pharm, Behavioral Health & EAP	No	No	No
Omade Diabetes Prevention	No	No	No
Add-ins, Add-ons, and Apps	No	No	No

Environment

UMS Computing and storage

Permitted and Restricted Systems for Data Storage and Data Processing

Summary

Body

Detailed Information

Confidential And Restricted Data

Data Types by Data Storage System

Data Types by User Controlled System

Data Types by Onsite Processing System

Data Types by Cloud Based Processing System

High-risk Restricted Data

Data Types by Data Storage System

Data Types by User Controlled System

User Controlled Systems

Conditions

Data Types by Onsite Processing Systems

Processing Systems - Onsite

Conditions

Data Types by Cloud based Processing System

Processing Systems - Cloud

Conditions

Environment

Details

Details

Related Articles

Related Articles (1)