OSU's network contains data that could cause harm to individuals within our community should it fall into the wrong hands. The Office of Information Security is tasked with identifying threats to that data, such as hackers and the malicious software they use, but it is up to those who work with this data at Oregon State University to help us maintain our commitment to the safety and privacy of our data.
While working with OSU data, you must protect the data you access. Following policies, procedures, standards and guidelines is the best way to ensure data remains safe. Get trained on the appropriate use and protection of university data and report unauthorized access or misuse. Additionally, it is important to understand how to classify the information you handle, so you know how best to secure it.
Data Classification by Element
We have three data classifications based on the level of security the information needs. Understanding the relative sensitivity of that information helps you understand which of the categories the data fits in.
This data is intended for general use, and can be found on websites, news releases, and in various publications. While no harm would befall the university if unrestricted information were accessed without permission, we are still concerned that the information be presented unchanged, and be available when needed; as such, there are specific standards of care required around the presentation of that information.
Some data, while not as restrictive as confidential, still are by their very nature or regulation private and must not be openly disclosed. There are typically four types of data that fall into this category.
Confidential information is the most restrictive classification. Four types of data fall into this category.
Follow these steps immediately if you suspect your data's been compromised (i.e., the data was out of your control, someone accessed it who wasn't supposed to, etc.).
The less activity that occurs on your computer after you realize information may have been compromised, the more likely it is that the security team will be able to tell whether or not it actually was compromised and what data was accessed.
If you suspect that someone has stolen confidential or sensitive information, hacked into your computer, or suspect your computer has a virus, immediately notify the Office of Information Security.
You are responsible for making sure the system you store information on meets OSU minimum standards. There are different standards for different classifications of data and types of environments.
Before using confidential data with a cloud-based (third-party) service, contact the Office of Information Security for a security assessment.
Use the table below to determine what classifications of data can be maintained on various services and platforms. This list includes Oregon State and 3rd-party services:
Services/Platforms: | Unrestricted: | Sensitive: | Confidential: |
---|---|---|---|
Audio & Video conferencing | Yes | Yes | No |
AWS Infrastructure | Yes | Requires Review & Approval | Requires Review & Approval |
Banner | Yes | Yes | Yes |
Box | Yes | Yes | Requires Review & Approval |
Canvas | Yes | Yes | No |
Core | Yes | Yes | No |
Data Warehouse | Yes | Yes | Yes |
Docusign | Yes | Yes | Yes |
Drupal | Yes | No | No |
Yes | No | No | |
Exchange | Yes | Yes | No |
Google Drive/Docs | Yes | Yes | No |
Office365/OneDrive/Sharepoint | Yes | Yes | Yes |
OnBase | Yes | Yes | Requires Review & Approval |
OSU Network Shares | Yes | Yes | Yes, check with your IT support |
Qualtrics | Yes | Yes | Requires Review & Approval |
Slack | Yes | No | No |
Slack Enterprise Grid (College of Engineering only) | Yes | Yes | No |
VPN | Not required | Recommended | Required |
Wordpress | Yes | No | No |