File Storage Options for Sensitive Information
In addition to the T-Storage service supported by OIT, the campus has signed agreements with Google and with Microsoft which provide cloud file storage for all faculty, staff, and students. While the space considerations for these plans are generous, staff should use caution when storing sensitive information using these services. All users are responsible for ensuring that their use of storage services complies with laws, regulations, and policies where applicable.
Usage policies for OneDrive for Business and Google Apps for Education are available here.
There are federal restrictions and industry standards on how certain information is transmitted and how it is stored. The most restrictive guidelines are the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) standards. HIPAA guidelines dictate that information classified as Personal Health Information or HIPAA information must be transmitted in an encrypted form AND stored in an encrypted format. Likewise, for PCI data - credit card information. FERPA guidelines (education records) do not specify encryption, but the recommendation is to make every effort to protect the information from exposure to unauthorized persons. However, encryption alone is not enough. Access to sensitive information must also be considered and restricted to only those authorized to view or process the information.
The following chart is a summary of what is available to staff when considering storage options. If you are using anything other than one of these options for general file storage, please confirm the university has a valid contract in place with that vendor.
||Encrypted At Rest
||Encrypted In transit
If staff routinely process or store ANY sensitive information (other than their personal information) on their workstations, laptops, or removable media such as jump-drives, the same controls apply – HIPAA, PCI, PHI, and PII information must be protected. Limiting access to the information and encrypting it are two requirements. Access to the information must be limited to those who are authorized to view or process the information as part of their official university duties. Apple and PC workstations support full disk encryption. Full-disk encryption is recommended. Although storing information on a removable device like a jump-drive or external storage disk is not recommended, it's sometimes unavoidable. In that case, the information or the device should be protected by limiting physical and logical (to whom the information is shared electronically) access to the device and encrypting the information.
Regardless of the storage mechanism, the information must always be protected. It is EVERYONE's responsibility to take steps to ensure that sensitive information doesn't fall into the wrong hands.
For guidance on storing sensitive information, please call the OIT HelpDesk at 865-974-9900.