Online Storage Security Frequently Asked Questions
Any computer-based storage that allows a user to save or store digital files over a network, wired or wireless.
Yes; the J:, P:, Q:, R:, S:, and V: drives are all examples of storage provided over the network by the Information Technology Department.
Yes. Document imaging systems are a specialized form of storage but fall under the general classification of online storage.
Please refer to university policies OP 44.20 and the Data Classification Standard as well as the IT Glossary. In very general terms, if the information ties a person’s name to other identifying information such as SSN or physical address it’s protected. If the information reveals specifics of credit card transactions or financial transactions, it’s protected.
You should not store protected information on any storage provided by a third party vendor. Third party vendor on-line storage services are not controlled by the university and should be considered public. Free web or cloud based services such as Google Docs, Dropbox, Skydrive, ADrive, 4Shared and others. The contractual obligations of the vendors are very limited and do not relieve you of the responsibility for any exposure of protected information.
The best answer is don’t ask for or keep SSNs unless you need them for business or legal reasons and then only on secure locations such as your P: drive. Store it in the most limited access storage available that still allows access to those needing it. If you are uncertain where to store the information or you need to share SSNs across groups or offices, contact the Technology Support Center and we can help arrange a safe place to share the information.
Your P: drive is accessible only by you. The Q: drive is divided up by department and is typically viewable by the department’s employees, including student workers. The S: and V: drives are used for specific applications shared across user groups with permissions applicable to those groups. The J: drive houses information usually used by only a pair of individuals or departments that need to share information, but also need to keep that information to a limited audience. The R: drive is accessible by all employees and some student workers and should be treated as if it were public since it has such broad access.
Yes, online storage can be seen by a variety of people and how each location is controlled differs based on requirements. Some of the storage provided by the university is viewable by the entire population of employees. Some of the storage is visible to entire departments. Where you store your information should be based on the information’s sensitivity and requirements for dissemination. As a guideline, store your information where it is least visible and still allows access to anyone requiring access to it for work.
Mapped network drives, network drives, logical drives, logical drive connections, network storage, cloud storage, cloud drives, document imaging systems and others.
In addition to more traditional looking file and folder storage like your P: drive, there are document repositories like Sharepoint, online shareable dropbox style storage, online data backup services such as Mozy and Carbonite, online personal drives such as those provided by Google, Microsoft Live, and others.
The term cloud is used as a generic term referring to any online service provided by a second or third party that allows a user to use storage or applications without regard for location of the physical hardware or how the physical hardware is configured and may not require any special software on the user’s side to access it. For example, many cloud based products require only a web browser to access the user’s data. Cloud storage might refer to storage provided by the university or third party vendors such as Google.
Yes, there are several. Social Security numbers must be carefully controlled. Any information protected by law, regulation, or statute must be stored based on rules from the applicable law. For example, we must store Social Security numbers only if we require them for a business process and must not let the association of an SSN with the specific person be exposed to anyone other than the SSN owner and those within the university that require the information for business purposes.
In general terms, any credit card information, Social Security numbers associated with individuals, health related information, patient records, financial information, student grades. This list is not all inclusive. You should take care will all university information.
Great question! Passwords along with your username or account name are used to ensure that only authorized users get access to systems. Since they are your key to gaining access to protected information, passwords should be treated with the same care and caution that protected information is. Visit the password web page to find information on how to protect your passwords.