Data Classification Guidelines

Fordham University’s Data Classification Policy applies to all data produced, collected, stored, or used by the University, its employees, student workers, consultants and agents during their relationship with the University.

The Data Classification Grid can help you better understand regulations and policies governing Protected and Sensitive Data and determine where to store your files. The Data Classification Grid is not exhaustive or detailed, and regulations and services offered change over time. Please contact IT Customer Care, visit your Tech Help tab, or send an email to infosec@fordham.edu if you have any questions on secure data storage or the sharing of data with colleagues within or outside the University.

Did you know there's more to handling data safely than a strong password and storage solution? Find out by taking our free, self-paced online Cyber Security Awareness training. It can be found under "My Organizations" in Blackboard, accessed at fordham.blackboard.com.

Data Classification Types

Protected Data

Protected Data

Data that contains personally identifiable information

Human Subject Research
Any sharing or storage of Human Subject Research data is subject to the approval of Fordham University’s Institutional Review Board.

Fordham IT
Provided Services
Data Types key:
Allowed Data may be stored with this service
Prohibited Data may not be stored with this service
If a number is assigned, data may be stored with this service under certain circumstances. See chart legend below, or click on the number.
  FERPA GLBA PII PHI/
HIPAA
Credit Card/PCI Attorney Privileged Data
@fordham.edu GMAIL/Contacts account

5

4

4

Prohibited
Prohibited

5

Text Messages on Fordham provided cell phone
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Fordham Google Drive

1

Prohibited

1

Prohibited
Prohibited

1

Fordham Core Google Apps (Classroom, Calendar, Docs, Groups, Hangouts, Sheets, Sites)

1

Prohibited

1

Prohibited
Prohibited

1

Fordham Non-Core Google Apps (e.g., Photos, Maps, YouTube)
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Fordham IT provided File Shares (S:\, P:\ drives) and Managed Servers
Allowed
Allowed
Allowed
Prohibited
Prohibited
Allowed
Fordham IT provided desktop, laptop, tablet, smartphone
Allowed

2

Allowed
Prohibited
Prohibited
Allowed
Fordham IT provided removable media (thumb drives)

2

2

2

2

Prohibited

2

Device located on PCI compliant network
Allowed
Prohibited
Allowed
Prohibited
Allowed
Prohibited
Blackboard
Allowed
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Hyland/OnBase
Allowed
Allowed
Allowed
Allowed
Prohibited
Allowed
EasyVista
Allowed
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
MailChimp, SilverPop

3

Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Qualtrics, SurveyMonkey
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Rackspace Cloud Files

4

4

4

Prohibited
Prohibited

4

Microsoft Azure Cloud Computing Platform (Fordham-issued School account)

7

7

7

Prohibited Prohibited

7

Smartsheet

Prohibited

Prohibited

1

Prohibited Prohibited Prohibited
OneDrive for Business (Fordham-issued School account)

1

Prohibited

1

Prohibited Prohibited

1

Fordham Office 365 (Fordham-issued School account)

1

Prohibited

1

Prohibited Prohibited

1

MyFiles

1

Prohibited

1

Prohibited
Prohibited

1

Non-Fordham IT
Provided Services
Data Types key:
Allowed Data may be stored with this service
Prohibited Data may not be stored with this service
If a number is assigned, data may be stored with this service under certain circumstances. See chart legend below, or click on the number.
  FERPA GLBA PII PHI/
HIPAA
Credit Card/
PCI
Attorney
Privileged
Data
Personal desktop and laptop

6

Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Personal equipment (tablet, smartphone, removable media/thumb drive)
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Personal third-party email services (e.g., personal Gmail, Hotmail, Yahoo)
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Cloud storage services without University agreements (e.g., Evernote, Dropbox, personal Google Drive, iCloud, Amazon S3, personal Office 365, personal OneDrive, personal Microsoft Azure, and personal Smartsheet)
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Image storage services not covered by University agreements (e.g., Flickr, Instagram, SmugMug)
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Third-party survey tools not covered by University agreements (e.g., Zoomerang, Constant Contact)
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
1 Service can be used only when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (which includes all students and alumni) to view the data.
2 To protect this class of data, removable media or a mobile device may only be used in conjunction with a sanctioned encryption product. For guidance, please contact the University Information Security Office at infosec@fordham.edu.
3 This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, please contact the UISO at infosec@fordham.edu.
4 Protected and sensitive data stored on these cloud services must be encrypted prior to transmission. Encryption keys must be stored in a separate secure location. To review your use of this technology for storing data and to ensure you adhere to these standards, please contact the University Information Security Office at infosec@fordham.edu.
5 This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6 Limited use of non-Fordham IT provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7 Protected and Sensitive data stored on these cloud services must be encrypted prior to transmission, with encryption keys stored in a separate secure location. Please contact the UISO at infosec@fordham.edu when planning to use this technology for computing or more than simple storage to ensure adherence to Fordham's data handling standards.

Back to top

Sensitive Data

Sensitive Data

Internal procedures prohibit unauthorized disclosure of this data

Fordham IT Provided Services Guidelines for storing sensitive data (legend below defines symbols and numbers)
@fordham.edu GMAIL/Contacts account

5

Text Messages on Fordham provided cell phone
Prohibited
Fordham Google Drive

1

Fordham Core Google Apps (Classroom, Calendar, Docs, Groups, Hangouts, Sheets, Sites)

1

Fordham Non-Core Google Apps (e.g., Photos, Maps, YouTube)
Prohibited
Fordham IT provided File Shares (S:\, P:\ drives) and Managed Servers
Allowed
Fordham IT provided desktop, laptop, tablet, smartphone
Allowed
Fordham IT provided removable media (thumb drives)

2

Device located on PCI compliant network
Allowed
Blackboard
Allowed
Hyland/OnBase
Allowed
EasyVista
Prohibited
MailChimp, SilverPop

3

Qualtrics, SurveyMonkey

3

Rackspace Cloud Files

4

Microsoft Azure Cloud Computing Platform (Fordham-issued School account Prohibited
Smartsheet

1

OneDrive for Business (Fordham-issued School account) Prohibited
Fordham Office 365 (Fordham-issued School account) Prohibited
MyFiles

1

Non-Fordham IT Provided Services

Guidelines for storing sensitive data (legend below defines symbols and numbers)

Personal desktop and laptop
Prohibited
Personal equipment (tablet, smartphone, removable media/thumb drive)
Prohibited
Personal third-party email services (e.g., personal Gmail, Hotmail, Yahoo)
Prohibited
Cloud storage services without University agreements (e.g., Evernote, Dropbox, personal Google Drive, iCloud, Amazon S3, personal Office 365, personal OneDrive, personal Microsoft Azure, and personal Smartsheet)
Prohibited
Image storage services not covered by University agreements (e.g., Flickr, Instagram, SmugMug)
Prohibited
Third-party survey tools not covered by University agreements (e.g., Zoomerang, Constant Contact)
Prohibited
Allowed Use allowed.
Prohibited
Use prohibited.
1 Service can be used only when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (which includes all students and alumni) to view the data.
2 To protect this class of data, removable media or a mobile device may only be used in conjunction with a sanctioned encryption product. For guidance, please contact the University Information Security Office at infosec@fordham.edu.
3 This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, please contact the UISO at infosec@fordham.edu.
4 Protected and sensitive data stored on these cloud services must be encrypted prior to transmission. Encryption keys must be stored in a separate secure location. To review your use of this technology for storing data and to ensure you adhere to these standards, please contact the University Information Security Office at infosec@fordham.edu.
5 This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6 Limited use of non-Fordham IT provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7 Protected and Sensitive data stored on these cloud services must be encrypted prior to transmission, with encryption keys stored in a separate secure location. Please contact the UISO at infosec@fordham.edu when planning to use this technology for computing or more than simple storage to ensure adherence to Fordham's data handling standards.

Back to top

Public Data

Public Data

Data may be available to the general public

Fordham IT Provided Services Guidelines for storing public data (legend below defines symbols and numbers)
@fordham.edu GMAIL/Contacts account
Allowed
Text Messages on Fordham provided cell phone
Allowed
Fordham Google Drive
Allowed
Fordham Core Google Apps (Classroom, Calendar, Docs, Groups, Hangouts, Sheets, Sites)
Allowed
Fordham Non-Core Google Apps (e.g. Photos, Maps, YouTube)
Allowed
Fordham IT provided File Shares (S:\, P:\ drives) and Managed Servers
Allowed
Fordham IT provided desktop, laptop, tablet, smartphone
Allowed
Fordham IT provided removable media (thumb drives)
Allowed
Device located on PCI compliant network
Allowed
Blackboard
Allowed
Hyland/OnBase
Allowed
EasyVista
Allowed
MailChimp, SilverPop
Allowed
Qualtrics, SurveyMonkey
Allowed
Rackspace Cloud Files
Allowed
Microsoft Azure Cloud Computing Platform (Fordham-issued School account Allowed
Smartsheet Allowed
OneDrive for Business (Fordham-issued School account) Allowed
Fordham Office 365 (Fordham-issued School account) Allowed
MyFiles Allowed
Non-Fordham IT Provided Services Guidelines for storing public data (legend below defines symbols and numbers)
Personal desktop and laptop Allowed
Personal equipment (tablet, smartphone, removable media/thumb drive)
Allowed
Personal third-party email services (e.g., Personal Gmail, Hotmail, Yahoo)
Allowed
Cloud storage services without University agreements (e.g., Evernote, Dropbox, personal Google Drive, iCloud, Amazon S3, personal Office 365, personal OneDrive, personal Microsoft Azure, and personal Smartsheet)
Allowed
Image storage services not covered by University agreements (e.g., Flickr, Instagram, SmugMug)
Allowed
Third-party survey tools not covered by University agreements (e.g., Zoomerang, Constant Contact)
Allowed
Allowed Use allowed.
Prohibited
Use prohibited.
1 Service can be used only when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (which includes all students and alumni) to view the data.
2 To protect this class of data, removable media or a mobile device may only be used in conjunction with a sanctioned encryption product. For guidance, please contact the University Information Security Office at infosec@fordham.edu.
3 This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, please contact the UISO at infosec@fordham.edu.
4 Protected and sensitive data stored on these cloud services must be encrypted prior to transmission. Encryption keys must be stored in a separate secure location. To review your use of this technology for storing data and to ensure you adhere to these standards, please contact the University Information Security Office at infosec@fordham.edu.
5 This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6 Limited use of non-Fordham IT provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7 Protected and Sensitive data stored on these cloud services must be encrypted prior to transmission, with encryption keys stored in a separate secure location. Please contact the UISO at infosec@fordham.edu when planning to use this technology for computing or more than simple storage to ensure adherence to Fordham's data handling standards.

Back to top