Data Classification Guidelines

Fordham University’s Data Classification and Protection Policy applies to all data produced, collected, stored, or used by the University, its employees, student workers, consultants, and agents during their relationship with the University.

The Data Classification Grid can help you better understand regulations and policies governing Fordham Protected and Fordham Sensitive Data and determine where to store your files. The Data Classification Grid is not exhaustive or detailed, and regulations and services offered change over time. Please contact IT Service Desk Level 1, visit the Tech Help page under My Pages after logging in to fordham.edu, or email [email protected] if you have any questions on secure data storage or sharing data with colleagues within or outside the University.

Did you know there's more to handling data safely than a strong password and storage solution? Find out by taking our free, self-paced online information security awareness training for employees. To access the courses, log in to Terranova - Security Awareness in the academic section under My Apps in the portal, fordham.edu.

Data Classification Types

Protected Data

Data that contains personally identifiable information.

Human Subject Research
Any sharing or storage of Human Subject Research data is subject to the approval of Fordham University’s Institutional Review Board.

Fordham Provided Services			Data Types key:
			Data may be stored with this service
			Data may not be stored with this service
			If a number is assigned, data may be stored with this service under certain circumstances. See chart legend below, or click on the number.
	FERPA	GLBA	PII	PHI/ HIPAA	Credit Card/PCI	Attorney Privileged Data
Blackboard®
Core Google™ Apps: Classroom, Calendar, Docs, Groups, Chat, Sheets, Sites, Jamboard	1		1			1
Devices on PCI-compliant Network
EasyVista™
Equipment (desktop, laptop, tablet, smartphone)		2
File Shares (S:\ drive) and Managed Servers
Gmail™/Contacts Account	5	4	4			5
Google Drive	1		1			1
MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)	3
Microsoft Azure™ Cloud Computing Platform	4	4	4	4		4
Microsoft Office 365™	1	1	1	1		1
Microsoft OneDrive™ for Business	1	1	1	1		1
Non-Core Google Apps (e.g., Photos, Maps, YouTube™)
OnBase® by Hyland
Panopto®
Qualtrics®
Rackspace Technology™ Cloud Files	4	4	4			4
Reclaim Hosting	1
Removable Media (USB thumb drive)	2	2	2	2		2
Smartsheet™			1
Text Messaging
Zoom		7	7	7		7

Non-Fordham Provided Services			Data Types key:
			Data may be stored with this service
			Data may not be stored with this service
			If a number is assigned, data may be stored with this service under certain circumstances. See chart legend below, or click on the number.
	FERPA	GLBA	PII	PHI/ HIPAA	Credit Card/PCI	Attorney Privileged Data
Personal desktop and laptop	6
Personal equipment (tablet, smartphone, removable media/thumb drive)
Personal third-party email services (e.g., personal Gmail™, Hotmail™, Yahoo®)
Text Messaging
Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365™, personal Microsoft OneDrive™, personal Microsoft Azure™, personal Smartsheet™, and personal Reclaim Hosting services)
Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom™, personal Microsoft Teams™, FaceTime®, WhatsApp™)

1	This service can only be used when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (which includes all students and alumni) to view the data.
2	To protect this class of data, removable media or a mobile device may only be used in conjunction with a sanctioned encryption product. For guidance, please contact the University Information Security Office at [email protected].
3	This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and the use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, please contact the UISO at [email protected].
4	Fordham Protected and Fordham Sensitive Data stored on these cloud services or emailed to non-Fordham recipients must be encrypted prior to transmission. To review your use of this technology for protected and sensitive data, please contact the University Information Security Office at [email protected].
5	This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6	Limited use of non-Fordham provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7	To protect this class of data, videoconferencing may only be used if Chat, Recording, and Transcript Generation features are disabled.

Sensitive Data

Internal procedures prohibit unauthorized disclosure of this data

Fordham Provided Services	Guidelines for storing sensitive data (legend below defines symbols and numbers)
Blackboard®
Core Google™ Apps: Classroom, Calendar, Docs, Groups, Chat, Sheets, Sites, Jamboard	1
Devices on PCI-compliant Network
EasyVista™
Equipment (desktop, laptop, tablet, smartphone)
File Shares (S:\ drive) and Managed Servers
Gmail™/Contacts Account	5
Google Drive	1
MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)	3
Microsoft Azure™ Cloud Computing Platform	4
Microsoft Office 365™	1
Microsoft OneDrive™ for Business	1
Non-Core Google Apps (e.g., Photos, Maps, YouTube™)
OnBase® by Hyland
Panopto®
Qualtrics®
Rackspace Technology™ Cloud Files	4
Reclaim Hosting
Removable Media (USB thumb drive)	2
Smartsheet™	1
Text Messaging
Zoom™	7

Non-Fordham Provided Services	Guidelines for storing sensitive data (legend below defines symbols and numbers)
Personal desktop and laptop
Personal equipment (tablet, smartphone, removable media/thumb drive)
Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
Text Messaging
Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365™, personal Microsoft OneDrive™, personal Microsoft Azure™, personal Smartsheet, and personal Reclaim Hosting services)
Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom™, personal Microsoft Teams™, Facetime®, WhatsApp™)

	Use allowed.
	Use prohibited.
1	This service can only be used when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (which includes all students and alumni) to view the data.
2	To protect this class of data, removable media or a mobile device may only be used in conjunction with a sanctioned encryption product. For guidance, please contact the University Information Security Office at [email protected].
3	This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and the use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, please contact the UISO at [email protected].
4	Fordham Protected and Fordham Sensitive Data stored on these cloud services or emailed to non-Fordham recipients must be encrypted prior to transmission. To review your use of this technology for protected and sensitive data, please contact the University Information Security Office at [email protected].
5	This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6	Limited use of non-Fordham provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7	To protect this class of data, videoconferencing may only be used if Chat, Recording, and Transcript Generation features are disabled.

Public Data

Data may be available to the general public

Fordham Provided Services	Guidelines for storing public data (legend below defines symbols and numbers)
Blackboard®
Core Google™ Apps: Classroom, Calendar, Docs, Groups, Chat, Sheets, Sites, Jamboard
Devices on PCI-compliant Network
EasyVista™
Equipment (desktop, laptop, tablet, smartphone)
File Shares (S:\ drive) and Managed Servers
Gmail™/Contacts Account
Google Drive
MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)
Microsoft Azure™ Cloud Computing Platform
Microsoft Office 365™
Microsoft OneDrive™ for Business
Non-Core Google Apps (e.g. Photos, Maps, YouTube™)
OnBase® by Hyland
Panopto®
Qualtrics®
Rackspace Technology™ Cloud Files
Reclaim Hosting
Removable Media (USB thumb drive)
Smartsheet™
Text Messaging
Zoom™

Non-Fordham Provided Services	Guidelines for storing public data (legend below defines symbols and numbers)
Personal desktop and laptop
Personal equipment (tablet, smartphone, removable media/thumb drive)
Personal third-party email services (e.g., Personal Gmail, Hotmail™, Yahoo®)
Text Messaging
Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams™, FaceTime®, WhatsApp™)

	Use allowed.
	Use prohibited.
1	This service can only be used when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (which includes all students and alumni) to view the data.
2	To protect this class of data, removable media or a mobile device may only be used in conjunction with a sanctioned encryption product. For guidance, please contact the University Information Security Office at [email protected].
3	This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and the use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, please contact the UISO at [email protected].
4	Fordham Protected and Fordham Sensitive Data stored on these cloud services or emailed to non-Fordham recipients must be encrypted prior to transmission. To review your use of this technology for protected and sensitive data, please contact the University Information Security Office at [email protected].
5	This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6	Limited use of non-Fordham provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7	To protect this class of data, videoconferencing may only be used if Chat, Recording, and Transcript Generation features are disabled.