As an employee of CSUCI, you are responsible for all university data that is sent, stored, or shared on all personal or university-owned devices that you use. Part of this responsibility includes choosing appropriate technology to manage and store the data, some of which may be confidential or restricted. We have multiple options for data storage — from University servers to cloud-based services — but not all options are appropriate for all types of data. To help you choose the proper solutions for your university data, we've developed a matrix that outlines what can be stored where.

Sensitive Data Storage Classification

Information in the matrix below applies only to CSUCI enterprise versions of the services. CI Data must never be stored in a consumer personal Gmail account e.g., ekho@gmail.com. The CSU Information Security Data Classification standard provides three levels of data classification regarding the level of security placed on the particular types of information assets.

This list below is not exhaustive and should only be used as a reference for purposes of data protection. Data protection is the implementation of administrative, technical, or physical measures to guard against unauthorized access to data.

Protected Level 1 (PL-1 Confidential)

  • HIPAA: ePHI, Personal Health Records, Health Insurance Data
  • Personally Identifiable Information (PII): Name with Personally Identifiable Information SSN, Passport, Visa, etc.
  • Gramm-Leach-Bliley Act (GLBA): Name with Financial Information, Bank Accounts, Tax Returns, etc.
  • Payment Card Industry Data Security Standard (PCI-DSS): Payment card information, Credit Card Numbers, Bank Account and Routing Numbers.
  • Law Enforcement Records: Name with Driver’s License, Criminal Background.
  • Campus Access Credentials: Passwords or credentials that grant access to level 1 and level 2 data.

Protected Level 2 (PL-2 Internal Use)

  • FERPA: Student Information: Educational Records not defined as directory” information, typically: Grades, Courses taken, Schedule, Test Scores, Advising records, Educational services received, Disciplinary actions, Student photo.
  • Campus Financials.
  • Campus Attorney-client communication.
  • Employee Information:Name with: Home Address, Home Phone, Personal Email, Marital Status, Gender, Evaluation, Personnel Actions.

Protected Level 3 (PL-3 General)

  • Information publically available Publications Web: The information which may be designated as publically available and/or intended to be provided to the public.

Sensitive Data Storage Matrix

How to interpret the Matrix

Listed below are the only IT Tools and Services to Store or Share CSU/CSUCI Protected Data

Storage LocationDescriptionProtected level 1 (PL-1)Protected level 2 (PL-2)Protected level 3 (PL-3)
** With the review and approval of the Information Security office. Please contact the Info Sec Team at infosec@csuci.edu for more information.
Google DriveAn enterprise solution that allows faculty/staff users to store, share and edit files as part of Google G Suite.Use ProhibitedUse ProhibitedUse Permitted
OneDrive for BusinessAn enterprise service that allows students, faculty, and staff to store, share and edit files within online Office apps as part of Microsoft Office 365.Use Permitted**Use PermittedUse Permitted
SharePointAn online collaboration space that is part of Office 365.Use Permitted**Use PermittedUse Permitted
DropboxAn enterprise service that allows faculty and staff to store, share and edit files.Use ProhibitedUse ProhibitedUse Permitted
ITS Network File SharesNetwork drives only accessible on the CSUCI network and managed by CSUCI ITS Staff.Use Permitted**Use PermittedUse Permitted
TeamDynamixTicketing systemUse ProhibitedUse Permitted**Use Permitted
University-owned devicesLocal Workstation or Laptop managed by CSUCI.Use ProhibitedUse Restricted**Use Permitted
Non-University-owned devicesPersonal Computers or devices not owned or managed by CSUCI.Use ProhibitedUse ProhibitedUse Permitted
Portable StorageThumb drives, portable hard drives or any other portable device that is capable of storing files.Use ProhibitedUse ProhibitedUse Permitted
Azure Files / Azure File SyncCache Azure file shares on Windows Servers with Azure File Sync for local access performance.Use ProhibitedUse PermittedUse Permitted
AI / ChatGPTAI-Powered software used to produce or edit contentUse ProhibitedUse ProhibitedUse Permitted

Notes

  • The Regulated Data Storage Matrix only indicates if appropriate technical safeguards and contractual protections are in place for storing or sharing regulated or confidential data using a particular technology.
Back to Top ↑
©