Electronically Stored Information

How electronic information should be handled is based upon the category of data that is contained in the electronic file. Electronic information must be handled according to the highest classification level of data contained in the file. For example, if a file contains both Public and Restricted information, then the file should be handled according to the Restricted classification. Purdue Data Users are urged to contact the Data Stewards for guidance in cases that present handling questions or security concerns.

Actions

Storage on Servers, Authentication Required

This category includes Purdue central departmental file storage servers or Career Account storage spaces where access is protected via Purdue authentication credentials. Purdue authentication credentials include the Purdue Career Account and password, or a username/password combination issued by a departmental IT unit when the Purdue Career Account cannot be reasonably used.

As a result, this category includes the following storage scenarios:

  • Data stored on servers that can be accessed on a campus workstation as part of a user's workstation profile.
  • Data stored on servers that can be accessed remotely via a file transfer protocol where Purdue authentication credentials must be provided before a user can access the files.
  • Data stored on servers that can be accessed remotely via the use of a tool through the Internet where Purdue authentication credentials must be provided before a user can access the files. (This section covers the use of tools like Sharepoint for Purdue users only).
  • Purdue web spaces with information intended for Purdue dissemination only and where Purdue authentication credentials must be provided before a user can access data.

Purdue-provided central and departmental servers are among the most secure places to store Purdue Restricted data. However, some Restricted data types (e.g., protected health information, banking information, or credit card information) may be subject to laws that require the data to be stored in an encrypted form or require the data to be Restricted to specific authorized users only. Some common laws that may require additional security precautions include HIPAA (for health information), FERPA (for student information), GLBA (for financial account information), and PCI (for credit card information). Contact your Data Steward if you have questions about how these laws may apply to the data you are using.

Type: Public
Requirements: No special requirements

Type: Sensitive
Requirements: No special requirements

Type: Restricted
Requirements: No special requirements (subject to any applicable laws, as discussed above)

Storage on Servers, No Authentication Required

This category includes file storage servers where the data stored on those servers can be accessed via internet, and where that access does not require the use of Purdue authentication credentials to access the files. So, this category includes the following storage scenarios:

  • Purdue webpages with information intended for public dissemination
  • Files on servers that can be accessed remotely via the use of a tool through the internet where Purdue authentication credentials are not required before access. (This section covers the use of tools like SharePoint when access to different files or data is given to non-Purdue users.)

Data Users are urged to exercise caution when providing access to Purdue data without appropriate Purdue authentication. For instance, when allowing non-Purdue users to access Purdue data, a Data User must make sure that there are adequate protections (such as password protection, encryption, and secure communication channels) in place to protect that data. 

Type: Public
Requirements: No special requirements

Type: Sensitive
Requirements: Not allowed

Type: Restricted
Requirements: Not allowed

Storage on Third-Party Servers or Cloud Services

This category includes storage on vendor solutions where Purdue has determined that there is a business need for the vendor’s solution and has entered into a contract with the vendor. Typically, cloud vendor services are offered as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and systems supporting these are owned by another company and accessed via the internet. Some services may integrate with on premise systems or applications that are hosted and operated by the University and Purdue authentication credentials are used to access the vendor’s solution. Purdue authentication credentials include the Purdue Career Account and password, or a username/password combination issued by a departmental IT unit when the Purdue Career Account cannot be reasonably used. 

As a result, this category includes the following storage scenario:

  • Data stored on third-party-hosted servers where Purdue has determined that there is a business need for the vendor’s solution and Purdue has entered into a contract with the vendor.

Due to information security and privacy concerns, including obligations by law or contractual requirements with other entities, use of third-party cloud solutions require security risk review and contractual terms covering data protection. Cloud Computing Consumer Guidelines must be considered prior to purchase or use of third-party solutions. Purdue authentication credentials should be used when feasible. Some common laws that may require additional security precautions or contractual terms include HIPAA (for health information), FERPA (for student information), GLBA (for financial account information), and PCI (for credit card information), ITAR, EAR (government restricted research data) or CUI (Controlled Unclassified Information as indicated by Executive Order 13556). Contact your Data Steward if you have questions about how these laws may apply to the data you are using with a third-party solution.

Type: Public
Requirements: No special requirements

Type: Sensitive
Requirements: Encryption required for all new services and as current contracts renew

Type: Restricted
Requirements: Encryption required for all new services and as current contracts renew (also subject to any applicable laws as discussed above)

Storage on Electronic Media

This category includes all media on which electronic data can be stored, including but not limited to internal and external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices.

This category is intended to apply to a person’s direct use of electronic media, and does not apply to archival, disaster recovery, and backup media used by Purdue information technology departments to protect Purdue data as part of normal operational activities. Such archival electronic media must be properly secured from loss, theft, and unauthorized access.

Data Users are reminded that central and departmental servers, where Purdue authentication is required, are the best place to store all categories of Purdue data, particularly Purdue Restricted data. Data Users are encouraged to consult the Data Stewards if Sensitive or Restricted data must be stored on electronic media (other than Purdue servers). Data Users should exercise caution and common sense when storing Purdue data on personally owned computing devices, including electronic media. In almost all instances, Purdue Restricted data should never be stored on a Data User’s personally owned computing devices, and Data Users should be cautious of storing Sensitive data on personally owned computing devices.

Type: Public
Requirements: No special requirements

Type: Sensitive
Requirements: Not advised

Type: Restricted
Requirements: Not allowed

Storage on Mobile Devices

This category includes all computing and technology devices, regardless of name, that serve as a stand-alone and mobile computing device. Devices such as laptop computers, tablet computers, smart phones, cell phones, e-readers, and personal digital assistants fall in this category. This category is used to define Purdue-owned mobile devices only. 

Data Users are reminded that mobile devices are easily lost and/or stolen and must be secured appropriately. ITaP has published information about mobile device security best practices. These security best practices must be implemented on mobile devices that process or store Purdue data. Data Users should exercise caution and common sense when storing Purdue data on personally owned computing devices, including mobile devices. In almost all instances, Purdue Restricted data should never be stored on a Data User’s personally owned computing devices, and Data Users should be cautious of storing Sensitive data on personally owned computing devices.

Type: Public
Requirements: No special requirements

Type: Sensitive
Requirements: Not advised

Type: Restricted
Requirements: Not allowed

Disposal of Physical Electronic Media, Repurposed for University Use

This category applies to any electronic media that is ready for disposal in one unit or department, but is capable of reuse within another unit or department of the University. This category applies to any electronic media that is reused within the University.

Type: Public
Requirements: Multiple pass overwrite according to Media Disposal Guidelines

Type: Sensitive
Requirements: Multiple pass overwrite according to Media Disposal Guidelines

Type: Restricted
Requirements: Multiple pass overwrite according to Media Disposal Guidelines

Purdue has issued Media Disposal Guidelines to provide guidance on media disposal techniques. A multiple pass or Department of Defense (DoD) overwrite means to overwrite all addressable locations with a character, its complement, then a random character, and verify.   

Disposal of Physical Electronic Media, NOT Repurposed for University Use

This category applies to any electronic media that is ready for disposal and will not be reused within the University. This category is intended to apply to any electronic media on which data can be stored, and also includes multi-function devices such as copiers and scanners that are leased by the University. These devices usually have some sort of data storage capability. Departments leasing equipment with data storage capabilities are encouraged to make sure all lease agreements include provisions about securely deleting or replacing device hard drives once the device is no longer in use at Purdue (and before the device leaves University property). Departments can contact the Data Stewards for assistance if needed.

Type: Public
Requirements: Physically destroy

Type: Sensitive
Requirements: Physically destroy

Type: Restricted
Requirements: Physically destroy

To destroy electronic media means to physically destroy it beyond any ability to recover any data on the media. Shredding media is an appropriate destruction method. The use of the University “Recycle for the Future” recycling program is acceptable for disposal of all classifications of electronic media/data. Information regarding this program can be found at: www.purdue.edu/surplus.

Voicemail

Purdue uses a computerized messaging system for voice mail services. The messaging system allows you to manage your voicemail messages via telephone and/or computer through web access. Voicemail messages are stored on the messaging system and can be accessed from your telephone. There is also the ability to set remote notification, which sends a notification to mobile devices when a voicemail message is received. Voicemail messages can also be forwarded to an email address (e.g., wav or proprietary .vbk attachment.)

Data Users must exercise care in using the messaging system and in forwarding voicemail messages to your email as an attachment. In some instances, this service must be disabled for an entire area in order to prevent the transmission of Restricted information via email. This is particularly important with respect to the email forwarding function in areas that might be covered by HIPAA. Purdue Data Users are urged to contact the HIPAA Privacy Office for guidance in these cases.

Type: Public
Requirements: No special requirements

Type: Sensitive
Requirements: No special requirements

Type: Restricted
Requirements: Do not leave Restricted information in a voice mail message. Ask the recipient to call you back. If you receive Restricted information in a voice mail message, delete the message immediately upon receipt.

Access to Data in Applications and Databases

This category includes access to data in Purdue applications and databases for business operations purposes. In most cases, access to information, and the ability to use, manipulate, or delete that information is based on roles defined by business areas (and is not specified based on field values). Users are urged to contact an application owner or data stewards for guidance in cases that present handling questions.