Data Management and Classification  

OSU's network contains data that could cause harm to individuals within our community should it fall into the wrong hands. The Office of Information Security is tasked with identifying threats to that data, such as hackers and the malicious software they use, but it is up to those who work with this data at Oregon State University to help us maintain our commitment to the safety and privacy of our data.


WORKING WITH OSU DATA

While working with OSU data, you must protect the data you access. Following policies, procedures, standards and guidelines is the best way to ensure data remains safe. Get trained on the appropriate use and protection of university data and report unauthorized access or misuse. Additionally, it is important to understand how to classify the information you handle, so you know how best to secure it.

 

Baseline Standards of Care

Data Classification by Element

 

 

 

  

 

 

HOW SECURE SHOULD DATA BE?

We have three data classifications based on the level of security the information needs. Understanding the relative sensitivity of that information helps you understand which of the categories the data fits in. 

 


UNRESTRICTED DATA

This data is intended for general use, and can be found on websites, news releases, and in various publications. While no harm would befall the university if unrestricted information were accessed without permission, we are still concerned that the information be presented unchanged, and be available when needed; as such, there are specific standards of care required around the presentation of that information.

SENSITIVE DATA

Some data, while not as restrictive as confidential, still are by their very nature or regulation private and must not be openly disclosed. There are typically four types of data that fall into this category.

  • Student data
  • Employee data
  • Confidential Donor Information
  • Privileged Attorney-Client Communications and Minutes from Confidential Meetings

CONFIDENTIAL DATA

Confidential information is the most restrictive classification. Four types of data fall into this category.

  • Personal information that could be used in identity theft or exposure of personal health information.
  • Research data that a funding agency or other research partner has identified as highly private.
  • Financial, legal and other data of a highly confidential nature.
  • Specific technical information detailing how we restrict access, or otherwise secure data, in this classification.

What to do if data is compromised

Follow these steps immediately if you suspect your data's been compromised (i.e., the data was out of your control, someone accessed it who wasn't supposed to, etc.).

  1. Figure out its data classification. What type of information is it? Which of the categories above does it fit into?
  2. Report it to your IT support group (departmental computer administrator - DCA). Give the DCA as much information as you can, including how you think the data would be classified.
  3. Follow the directions they give you, even when that means you'll lose changes to files.
  4. Report it to your supervisor and to the Office of Information Security 
  5. The CISO will decide what needs to happen next. The Office of Information Security will lead the investigation of the possible breach and will let the appropriate data custodians know what's happened.

The less activity that occurs on your computer after you realize information may have been compromised, the more likely it is that the security team will be able to tell whether or not it actually was compromised and what data was accessed.


REPORTING

If you suspect that someone has stolen confidential or sensitive information, hacked into your computer, or suspect your computer has a virus, immediately notify the Office of Information Security.


MINIMUM STANDARDS

You are responsible for making sure the system you store information on meets OSU minimum standards. There are different standards for different classifications of data and types of environments.


SECURITY ASSESSMENT

Before using confidential data with a cloud-based (third-party) service, contact the Office of Information Security for a security assessment.


WHAT DATA CAN I KEEP WHERE?

Use the table below to determine what classifications of data can be maintained on various services and platforms. This list includes Oregon State and 3rd-party services:

Services/Platforms: Unrestricted: Sensitive: Confidential:
Audio & Video conferencing Yes Yes No
AWS Infrastructure Yes Requires Review & Approval Requires Review & Approval
Banner Yes Yes Yes
Box Yes Yes Requires Review & Approval
Canvas Yes Yes No
Core Yes Yes No
Data Warehouse Yes Yes Yes
Docusign Yes Yes Yes
Drupal Yes No No
Email Yes No No
Exchange Yes Yes No
Google Drive/Docs Yes Yes No
Office365/OneDrive/Sharepoint  Yes Yes Yes
OnBase Yes Yes Requires Review & Approval
OSU Network Shares Yes Yes Yes, check with your IT support
Qualtrics Yes Yes Requires Review & Approval
Slack Yes No No
Slack Enterprise Grid (College of Engineering only) Yes Yes No
VPN Not required Recommended Required
Wordpress Yes No No