Text Size Default Text SizeDefault Text Size Large Text SizeLarge Text Size Largest Text SizeLargest Text Size Print Print this Page

Data Handling Standards

Classification Label Public Internal Restricted
Sensitivity Low Moderate High
Confidentiality Low Moderate High
Description All university data acceptable for public consumption. All data used for conducting university business that is not meant for distribution beyond the university. All university data is considered "Internal" until classified otherwise. All university data for which an unauthorized disclosure may result in identity theft or university liability for costs or damages, under laws, government regulations or contract.
Storage
Server  
  • University owned device
  • Not publically accessible
  • University owned device
  • Not publically accessible
Desktop Workstation, Laptop, USB drive, Handheld, etc.  
  • University owned device
Non-electronic data (paper documents, white or black boards, photographs, etc.)  
  • Secure location with appropriate physical controls
  • Data owner's approval
  • Secure location with appropriate physical controls
  • Labeled at data owner's discretion
Transmission
Campus Mail    
  • Secured and labeled at data owner's discretion
External Mail      
Fax      
Telephone (POTS)      
Other Electronic Transmission (internal and external* e-mail, file transfers, VoIP, etc.)    
  • Encryption required
Disposal
Electronic data
  • Delete
  • Delete
  • Redact
Non-electronic data
  • Recycle
  • Redact
  • Shred with cross-cut shredder
  • Redact
  • Shred with cross-cut shredder (see Virginia Administrative Code) Note: Although you may not have a cross-cut shredder, as long as the shredded records are pulped or incinerated, it meets the requirements of the regulations that social security numbers in the records be made, "...unreadable or undecipherable by any means."

*External e-mail containing Social Security Numbers (SSN) and/or Credit Card Numbers (CCN) are prohibited.

Revised and approved by CIO, May 2, 2011.
Revised and approved by CIO, September 2, 2011.

 

Data owners may impose additional security controls/protections needed for a type of data, in addition to the controls required by the classification level.