Protected Data Storage Guidelines

The California State University (CSU) Information Security Data Classification Standard provides three levels of data classification regarding the level of security placed on the particular types of information assets.

This list below is not exhaustive and should only be used as a reference for purposes of data protection. Data protection is the implementation of administrative, technical or physical measures to guard against unauthorized access to data.

Level 1 (Confidential) Data

  • HIPAA: ePHI, Personal Health Records, Health Insurance Data
  • Personally Identifiable Information (PII): Name with Personally Identifiable Information SSN, Passport, Visa, etc. 
  • Gramm-Leach-Bliley Act (GLBA): Name with Financial Information, Bank Accounts, Tax Returns, etc. 
  • Payment Card Industry Data Security Standard (PCI-DSS): Payment card information, Credit Card Numbers, Bank Account and Routing Numbers. 
  • Law Enforcement Records: Name with Driver’s License, Criminal Background.
  • Campus Access Credentials: Passwords or credentials that grant access to level 1 and level 2 data.

Level 2 (Business/Internal Use) Data

  • FERPA: Student Information: Educational Records not defined as directory” information, typically: Grades, Courses taken, Schedule, Test Scores, Advising records, Educational services received, Disciplinary actions, Student photo.
  • Campus financials
  • Campus attorney-client communication
  • Non-directory employee information: Name with: Home Address, Home Phone, Personal Email, Marital Status, Gender, Evaluation, Personnel Actions.

Level 3 (General/Unrestricted) Data

  • Information publicly available: The information which may be designated as publicly available and/or intended to be provided to the public.

 

Services to store or share California State University (CSU) protected data

 

Level 1 (Confidential)

Level 2 (Internal)

Level 3 (General)

Google Drive

An enterprise solution that allows faculty, staff and students to store, share and edit files as part of Google G Suite.

 

Prohibited

 

Permitted** 

 

Permitted 

OneDrive for Business

An enterprise service that allows faculty, staff and students to store, share and edit files within online Office apps as part of Microsoft Office 365.

 

Prohibited

 

Permitted**

 

Permitted 

BOX (Fresno State)

An enterprise service that allows faculty, staff and students to store, share and edit files online as part of BOX.

 

Prohibited

 

Permitted

 

Permitted

Fresno State Network File Shares

Network drives only accessible on the Fresno State network managed by Technology Services staff.

 

Permitted

 

Permitted

 

Permitted

Local workstation or laptop managed by Fresno State (University owned devices managed by Technology Services staff)

 

Prohibited

 

Permitted

 

Permitted

Personal computers or devices not owned or managed by Fresno State
(Non-university owned devices)

 

Prohibited

 

Prohibited

 

Permitted

Portable Storage

Thumb drives, portable hard drives or any other portable device that is capable of storing files.

 

Prohibited

 

Prohibited

 

Permitted

** Excludes storage of FERPA data.

Notes:

  • The data storage matrix does not necessarily apply to data associated with faculty research. Research data involving regulated data should have a data management plan and should fulfill the security requirements of the granting agency as well as the policies and standards of the CSU or Fresno State.

  • The data storage matrix signifies if appropriate technical safeguards and contractual protections are in place for storing or sharing regulated or confidential data using a particular technology.

 

Download a .pdf version