Data should always be stored and maintained in the Source System or System of Record. For example, employee data should be stored and maintained in Workday, Student data should be stored and maintained in the Student Information System. If data is removed from the source system it should be temporary and should be securely deleted, de-identified, or removed when no longer actively being used. Always, regardless of where the data is collected, processed, stored, or transmitted, the data must be handled in accordance with the Suffolk University Written Information Security Program WISP and to maintain the confidentiality, integrity, and availability of the data following current data security and data privacy protection standards.
Information in the matrix below applies only to Suffolk University enterprise versions of the services. Suffolk University Data MUST NEVER be stored in a consumer personal account or non-Suffolk authorized resource e.g., Dropbox, Personal OneDrive, Google Drive.
The WISP Data Classification standard provides three levels of data classification regarding the level of security placed on particular types of information assets.
The list below is not exhaustive and should only be used as a reference for purposes of data protection. Data protection is the implementation of administrative, technical, or physical measures to guard against unauthorized access to data.
Confidential (Strict, Protected Level 1 – PL-1)
- Personally Identifiable Information (PII): Name with Personally Identifiable Information SSN, Passport, Visa, Government ID, etc.
- Gramm-Leach-Bliley Act (GLBA): Name with Financial Information, Bank Accounts, Tax Returns, etc.
- Payment Card Industry Data Security Standard (PCI-DSS): Payment card information, Credit Card Numbers, Bank Account, and Routing Numbers.
- Law Enforcement Records: Name with Driver’s License, Criminal Background.
- HIPAA: ePHI, Personal Health Records, Health Insurance Data.
- Campus Access Credentials: Passwords or credentials that grant access to Confidential or Internal Use data.
Confidential (Sensitive, Protected Level 2 – PL-2)
- FERPA: Student Information: Educational Records not defined as directory” information, typically: Grades, Courses taken, Schedule, Test Scores, Advising records, Educational services received, Disciplinary actions, Student photo.
- Campus Attorney-client communication.
Internal (Protected Level 3 - PL-3)
- Campus Financials.
- Employee Information: Name with: Home Address, Home Phone, Personal Email, Marital Status, Gender, Evaluation, Personnel Actions.
Public (Protected Level 4 - PL-4)
- Information publically available Publications Web: The information which may be designated as publically available and/or intended to be provided to the public.
Sensitive Data Storage Matrix
How to interpret the Matrix
Use Permitted Use Permitted There are no technical, policy, or contractual issues that prohibit the storing and sharing of this data type with appropriate intended users using this service. If you have questions about who you can share data with, contact the data owner.
Use Restricted Use Restricted Use of this service with the regulated data type is restricted and special approval and additional controls are needed. Please contact the Service Desk at servicedesk@suffolk.edu for more information.
Use Prohibited Use Prohibited Use of this service with the regulated data type is prohibited. Do not use this service to send, store or share the regulated data type.
Listed below are the only Suffolk University IT Tools and Services to Store or Share Suffolk Protected Data
Storage Location | Description | Protected level 1 (PL-1) | Protected level 2 (PL-2) | Protected level 3 (PL-3) | Protected level 4 (PL-4) |
OneDrive for Business | An enterprise service that allows students, faculty, and staff to store, share, and edit files within online Office apps as part of Suffolk University Microsoft Office 365. | Use Prohibited | Use Restricted Must be set to Private | Use Permitted | Use Permitted |
SharePoint / TEAMS | An online collaboration space that is part of Suffolk University Office 365. | Use Prohibited | Use Permitted** Must be set to Private | Use Permitted | Use Permitted |
IT Network File Shares | Network drives that are only accessible on the Suffolk University network and managed by Suffolk University ITS. | Use Permitted ** | Use Permitted | Use Permitted | Use Permitted |
University-owned devices | Local Workstation or Laptop managed by Suffolk University ITS. | Use Prohibited | Use Restricted ** Must be encrypted. Suffolk encrypts all University-owned laptops | Use Permitted Must be encrypted. Suffolk encrypts all University-owned laptops | Use Permitted |
Non-University-owned devices | Personal Computers or devices not owned or managed by Suffolk University. | Use Prohibited | Use Prohibited | Use Prohibited | Use Permitted |
Portable Storage | Thumb drives, portable hard drives, or any other portable device that is capable of storing files. | Use Prohibited*** | Use Prohibited*** | Use Restricted Must be provided by Suffolk University ITS or Owned by the Suffolk Employee. The device must be encrypted. | Use Permitted |
** With the review and approval of the Information Security office. Please contact the Service Desk at servicedesk@suffolk.edu for more information. ***exceptions Must have a legitimate business requirement. Must be reviewed and approved by the Information Security Office, encrypted using the latest accepted approved encryption, and Suffolk University owned device. | |||||
Document Storage Supplemental Guidance
Suffolk provides a variety of data storage locations for University Data, including data that is work in progress and used for collaboration. Sensitive data such as FERPA data should only be stored and remain in the system of record for that data (Such as student data in Colleague) Any copies of the official record data or remnants of copies made outside the system of record for that data should be removed and not retained. All University Data must be retained in compliance with the University Records Retention Schedule.
Storage | Location | Best used for |
Laptop | Local C: \ Mac: Home folder | Temporary storage. Documents you do not care if they get deleted or backed up. |
Campus Network | Home Network Drive/Folder Usually H: or U: | Users own work documents. Backed up every night. Documents recoverable for 120 days after deletion. |
Dept Network drive G:\\sufs1\depthome\ITS | Documents for all departments or designated users to access. Backed up every night. Documents recoverable for 120 days after deletion. | |
Suffolk University Microsoft Office 365 | Users own work documents and/or shared with smaller groups. Draft documents the user is still working on. Documents in OneDrive are recoverable for 30 days after deletion. | |
Suffolk University Microsoft Office 365 Teams | Teams Saved in a channel that all members of the Team have access to | When collaborating on documents or needing others to have access. Documents in Teams are recoverable for 30 days after deletion. |
| Know how to handle the data you access. Remember to always keep sensitive data stored in the Source System. Working copies should be removed when done. If in doubt Ask your supervisor or contact Service Desk at servicedesk@suffolk.edu. | ||
Document Storage and Management Tips
- Be familiar with the University’s document retention schedule
Knowing how long certain documents must be kept will help keep your department in compliance. - Know how to handle the data you access.
- Remember to always keep sensitive data stored in the Source System.
- Working copies should be removed when done.
- If in doubt Ask your supervisor or contact Service Desk at servicedesk@suffolk.edu.
- All documents need to be organized in order to be useful.
- Browsing through your folders and finding files should be intuitive.
- Use Folders and subfolders to keep your files organized in a logical way. The benefits include; easier file retrieval, greater efficiency, improved business continuity, and a potential need for less storage space through routine purging of non-essential records.
- The best folder structure may be one that mimics the way your department functions.
- A standard hierarchy of folders and subfolders can look like this:
- Department Name
- Sub-Department Name (if necessary)
- Shared Content
- Spreadsheets
- Word Documents
- Databases
- …
- Projects
- Project A
- Project B
- Historical
- FY2019
- FY2020
- Shared Content
- Sub-Department Name (if necessary)
- Department Name
- If you find a hierarchy that works well for your department, use it as a template anytime you start a new project or task.
- Be purposeful when naming your files.
- Use words that are indicative of what is in the file. Consider what words you may use in the future to search for this file and put those words in the name.
- Files should be named consistently.
- Use short but descriptive file names.
- Use capitals and underscores instead of periods, spaces, or slashes.
- Avoid special characters.
- Use a consistent date format. YYYYMMDD is often best as your files will automatically be organized chronologically.
- If you are naming files that go in order, use a leading zero (01, 02 rather than 1,2) to ensure that your files stay in order.
- Keep track of file versions by adding a version number at the end of the file name.
- For the final version, substitute the word FINAL for the version number. This is especially important if files are being shared.
- Regular maintenance is necessary to keep folders and files organized and useful.
- Create archive folders to store old versions of important files.
- Routinely remove files that are no longer useful and are not required for retention. If you are not sure if a file must be retained, do not delete it.
- Document your folder and file conventions and share with colleagues to ensure consistency across your department.
rev1.4
03/12/2024 ITS Information Security Officer