Information Technology Services

Home » Network Services » Data Storage » Requirements

University Data Storage Requirements

Business, academic, and research data are subject to the university's Data Classification Policy which defines four classes of data with respect to risk: High, Moderate, Low, and Minimal. It is important that data are properly classified and only stored on appropriate services.

If you work with High, Moderate or Low Risk data, you are responsible for using an approved storage service for the class of data you are working with. (If the data files fall into the Minimal Risk class, e.g., general business docs, then you can choose any of the available storage options.)

Data Stewards are responsible for assigning data classifications to particular categories of data. If you are unsure of the the correct storage service/location for the data you are working with, you should always ask the appropriate Data Steward.

The tables below list approved storage solutions, by classification level.

Note: It is acceptable to move data from a lower to a higher classification level, but not the reverse. For example, Moderate Risk Data may be stored on services approved for High Risk Data, but High Risk Data may not be stored on Moderate Risk data services.


High Risk Data

Data with a known protection or disclosure standard whose release to an unauthorized person would be a violation of Federal or State laws, and would potentially result in criminal penalties. PCI DSS is also classified as High Risk data.

IMPORTANT: Employees with access to data classified as HIgh Risk data are required to use UNCG Two-Factor Authentication (2FA). To learn more about UNCG 2FA and for instructions on how to enroll, please visit Two-factor Authentication @ UNCG.

Data Classification Examples Approved Storage Services Notes Location
High Risk Data

- SSN data

- Health Insurance Portability and Accountability Act (HIPAA)

- Data subject to protection under contractural requirements

- Federal Information Security Management Act (FISMA)


- North Carolina Identity Theft Protection Act

Box and approved apps

  Cloud
Secure Volumes*   UNCG Network
*Secure volume: A volume of data that has been set up for specific needs for a department and that is only accessible from specific workstations that the department has designated should have access.

Moderate Risk Data

Data not classified as High Risk, whose loss, corruption, or unauthorized disclosure would constitute a violation of Federal or State laws, and would potentially result in civil penalties.

Data Classification Examples Approved Storage Services Notes Location
Moderate Risk Data

- Family Educational Rights and Privacy Act (FERPA)

- Data subject to protection under contractural requirements

- Some research data

N: Drive (Departmental Network Space)

Will be phased out and replaced by Special and Secure Volumes or Box UNCG Network
Box and approved apps   Cloud
S: Drive (Personal Network Space) Will be phased out and replaced by Box UNCG Network
Special Volumes (e.g., X: Drive)*    

*Special volume: A volume of data that has been set up for specific needs for a department.


Low Risk Data

Data not falling in the High Risk or Moderate Risk categories, which is not intended for public dissemination, but which may be subject to a Public Records Request (see UNCG's Public Records Policy).

Data Classification Examples Approved Storage Services Notes Location
Low Risk Data

- Employee email

- Departmental policies and procedures

- Internal memos

- Research data not subject to specific confidentiality requirements from IRB or other agency

Google Drive, Email

Only Low or Minimal Risk Data may be emailed Cloud
Box Sync   Cloud
Box and approved apps   Cloud

Minimal Risk Data

Data intended for public dissemination.

Data Classification Examples Approved Storage Services Notes Location
Minimal Risk Data

- Press releases

- Web pages

- Directory information

Any UNCG-sanctioned storage location, including workstations

Data at this classification level is still subject to retention standards. Varies

Student Personal Information

UNCG students have access to a number of file storage solutions and are welcome to use the service that best meets their needs.

However, this only applies to personal files that do not fall under one of the classification levels above. For example, a student may store a research paper on their Google Drive. But, if a student works with HIPAA data, either academically or as a student employee, that data is classified as High Risk Data and must be protected accordingly.

Service Notes
Google Drive

Read about: About Google Drive

Access: http://drive.uncg.edu

Microsoft OneDrive

Read about: Office 365 FAQ

Access: http://office365.uncg.edu

Box

Read about: Box @ UNCG

Access: https://box.uncg.edu


Employee Non-standard Storage Locations

UNCG has available storage locations which are not part of the University’s enterprise storage and compliance plan. Often these services are obtained as a side-effect of purchasing certain software. Use of these storage locations is not prohibited for staff, but they are not supported to the level of Google Drive and Box and should generally not be used for business purposes where data security and data retention requirements are a concern.

Storage Location Permitted Data Classification Notes
Microsoft OneDrive Minimal Risk*

Read about: Office 365 FAQ

Access: http://office365.uncg.edu

*Minimal Risk data may still be subject to data retention standards. These locations should not be used for documents subject to retention standards.