Campus Security Policy on Cloud Storage

All,

I wanted to follow up on our discussion from earlier today to ensure we were all on the same footing. There seemed to be some confusion surrounding when it was okay to use Dropbox or similar services.  You may well remember a similar discussion we had in this list earlier in the year. In that thread I gave the following guidance (with relevant quotes from the Information Security Policy located here:http://its.unc.edu/ccm/groups/public/@its/documents/content/ccm1_033440.pdf ):

"The guidance from my office is that for storing sensitive information with third party cloud storage providers, other storage providers, or Software as a Service providers, contractual provisions must be in place that protects the security and privacy of UNC owned data. If no contract is in place then sensitive data must not be stored on computers that are not owned or managed by UNC Chapel Hill. In order for the contract to be an approved instrument for the purposes of the Information Security Policy, it must have been reviewed by OUC."

I believe that should be fairly straight-forward guidance, but there may be some confusion regarding the definition of sensitive data. So, I wish to provide some information to hopefully clarify that for this list.

There are only two classification of data with respect to information security at UNC Chapel Hill. There is sensitive data and public data. Below are the definitions of the types of data as they are written in policy.

Sensitive data is defined as information that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
Sensitive Information includes all data, in its original and duplicate form, which contains:

• Personal Identifying Information (PII), as defined by the North Carolina Identity Theft Protection Act of 2005 
• Protected Health Information, as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
• Student education records, as defined by the Family Educational Rights and Privacy Act (FERPA) 
• Customer record information, as defined by the Gramm Leach Bliley Act (GLBA) 
• Credit Card holder data, as defined by the Payment Card Industry (PCI) Data Security Standard 
• Confidential personnel information, as defined by the State Personnel Act 
• Information that is deemed to be confidential in accordance with the North Carolina Public Records Act 

Sensitive data also includes any information that is protected by University policy from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, financial donor information, information concerning select agents, system access passwords, information security records, and information file encryption keys. 

Public Information is simply all information made or received by the University that does not constitute Sensitive Information. Sensitive Information that is disclosed without proper authorization does not, by virtue of its disclosure, become Public Information. (Some examples of public information might include most purchase contract, many accounting records, some forms of de-identified research data, etc..)

Remember, there is NO prohibition on the storage of non-sensitive or public data in the Cloud or on other third party storage providers, but it is important to know the difference in the two types of data. If you know the difference  an informed decision can be made when trying to decide when it is okay to place data in the Cloud.


-Stan