Data Classification & Handling

Data Classifications Sensitive and Restricted Data Security Video (Text only) Handling Requirements Administrative Data Classifications & Information Owners Data Stewards Data Roles Committee Member Login
SecurePurdue > Best Practices > Electronically Stored (Computer-based) Information
Electronically Stored (Computer-based) Information
Action Public Sensitive Restricted
      Recommendations on handling of restricted data doesn't apply to financial restricted accounts.
Storage on fixed media with access controls No encryption required No encryption required No encryption required, with the exception of credit card / bank account information. **
Storage on fixed media without access controls, but accessible via the web No encryption required Not advised. If you must store data via this media, it must be encrypted. Not allowed
Storage on fixed media without access controls, but not accessible via the web No encryption required No encryption required Not advised. If restricted data must be stored on such devices, the devices must be stored in a secured location when not in use ( EX: Store data on a removable drive and lock in desk when not in use).
Storage on removable media No encryption required No encryption required Store in secured location when not in use.
Read access to information (includes duplication) No special requirement Access is not restricted based on the field values. Access to information is based on roles defined by: Card Services, Financial, HR, Grad School, HFS , Phy Fac, SMAS, Student Services, UD & PAA Access is restricted based on field values. Access to information is based on roles defined by business areas.  Refer to links located under Sensitive
Create / Update access to information Access to information is based on roles defined by business areas.  See above. Create/update are not restricted based on field values. Access is based on roles defined by business areas. See above. Create/update are restricted based on field values. Access is based on roles defined by business areas.  See above.
Delete access to information Access to information is based on roles defined by business areas.  See above. Deletes are not restricted based on the field values. Access is based on roles defined by business areas. See above. Deletes are restricted based on field values. Access is based on roles defined by business areas.  See above.
       
** Note: It is expected that departments move toward encryption over time as new files are created or existing files modified.
Print hard copy report of information No special requirement Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing. Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing. Printouts are to be picked up as soon as possible.
Internal labeling of information at the application or screen/display level No special requirement No special requirement If a person has requested their directory information be restricted, that person's chosen restricted directory option must be noticeably displayed along with the information.
* Disposal of the physical electronic media device (diskettes, tapes, hard disks, etc.), where physical media is not going to be repurposed for University use. No special requirement Physical destruction beyond ability to recover. Physical destruction beyond ability to recover.
Disposal of information where physical media is going to be repurposed for University use. No special requirement Multiple pass overwrite according to University Media Disposal policy and Media Disposal Guidelines. Multiple pass overwrite according to University Media Disposal policy and Media Disposal Guidelines.
Data Stewards & Information Owner review Data Confidentiality for continued applicability Review at least annually and whenever significant changes are made to data or systems. Review at least annually and whenever significant changes are made to data or systems. Review at least annually and whenever significant changes are made to data or systems.
Auditing access activity No special requirement Log all violation attempts; Data Custodian reviews as appropriate. Log all access attempts defined in logging policy; Data Custodian to review all access violation attempts and notify Information Owner of suspicious activity.
Retention requirements for information access report logs No special requirement Retain logs for at least 12 months unless another retention period applies under applicable University policy, federal, state, or local law. Retain logs for at least 12 months unless another retention period applies under applicable University policy, federal, state, or local law.
* The use of the University "Recycle for the Future" recycling program is acceptable for disposal of all classifications of electronic media/data. Information regarding this program can be found at: www.purdue.edu/surplus.