shield icon

Data Management and Classification

A Commitment to Data Security

OSU’s Network contains data that could cause harm to individuals within our community should it fall into the wrong hands. The Office of Information Security is tasked with identifying threats to that data, such as hackers and the malicious software they use, but it is up to those who work with this data at Oregon state University to help us maintain our commitment to the safety and privacy of our data.

Data Overview

Working with OSU Data

While working with OSU data, you must protect the data you access. Following policies, procedures, standards and guidelines is the best way to ensure data remains safe. Get trained on the appropriate use and protection of university data and report unauthorized access or misuse. Additionally, it is important to understand how to classify the information you handle, so you know how best to secure it.

Reporting

If you suspect that someone has stolen confidential or sensitive information, hacked into your computer, or suspect your computer has a virus, immediately notify the Office of Information Security.

Minimum Standards

You are responsible for making sure the system you store information on meets OSU minimum standards. There are different standard for diffferent classifications of data and types of environments.

Security Assessment

Before using confidential data with a cloud-based (third-party) service, contact the Office of Information Security for a security assessment.

If OSU Data is Compromised

Follow these steps immediately if you suspect your data’s been compromised (the data was out of your control, someone accessed it who wasn’t supposed to, etc.).

  1. Figure out its data classification. What type of information is it? Which of the categories above does it fit into?
  2. Report it to your IT support group (departmental computer administrator – DCA). Give the DCA as much information as you can, including how you think the data would be classified.
  3. Follow the directions they give you, even when that means you’ll lose changes to files.
  4. Once the initial risk has been eliminated, report it to your supervisor and to the Office of Information Security (call 541-737-9800)
  5. The CISO will decide what needs to happen next. The Office of Information Security will lead the investigation of the possible breach and will let the appropriate data custodians know what’s happened.

The less activity that occurs on your computer after you realize information may have been compromised, the more likely it is that the security team will be able to tell whether or not it actually was compromised and what data was accessed.

Data Classification

How secure should this data be?

We have three data classifications (categories of data) based on the level of security the information needs. Understanding the relative sensitivity of that information helps you understand which category the data fits in.

unrestricted

Unrestricted

This data is intended for general use, and can be found on websites, news releases, and in various publications. While no harm would befall the university if Unrestricted Information were accessed without permission, we are still concerned that the information be presented unchanged, and be available when needed; as such, there are specific standards of care required around the presentation of that information.

sensitive

Sensitive

Some data, while not as restrictive as confidential, still are by their very nature or regulation private and must not be openly disclosed. There are typically four types of data that fall into this category.

  • Student data
  • Employee data
  • Confidential Donor Information
  • Privileged Attorney-Client Communications and Minutes from Confidential Meetings
confidential

Confidential

Confidential information is the most restrictive classification. Four types of data fall into this category.

  • Personal information that could be used in identity theft or exposure of personal health information if it’s not secured.
  • Research data that a funding agency or other research partner has identified as highly private.
  • Financial, legal and other data of a highly confidential nature.
  • Specific technical information detailing how we restrict access, or otherwise secure data, in this classification.

Data Storage

What data can I keep where?

Use the table below to determine what classifications of data can be maintained on various services and platforms. This list includes Oregon State and 3rd-party services.

Services/Platforms Data Classifications
Unrestricted Sensitive Confidential
Audio and Video Conferencing Yes Yes No
AWS Infrastructure Yes Requires Review/Approval Requires Review/Approval
Banner Yes Yes Yes
Box Yes Yes Requires Review/Approval
Canvas Yes Yes No
Core Yes Yes No
Data Warehouse Yes Yes Yes
Docusign Yes Yes Yes
Drupal Yes No No
Email (with and without Secure: in the subject line) Yes No No
Exchange Yes Yes No
Google Drive/Docs Yes Yes No
MySQL Database Yes No No
Office 365 Yes Yes No
Qualtrix Yes Yes Requires Review/Approval
Slack Yes No No
VPN Not Required Recommended Required
Wordpress Yes No No