Data Risk Guide to Commonly Used DIT Services


This guide aligns examples of data commonly used on campus with appropriate popular DIT provided services. It is not an exhaustive list of data or services; please reach out the Service Desk if you have any questions. 

Recommended Reading:

IT Policies, Standards, and Guidelines

UMD Privacy Policy Draft 

Data Classification Standard

Glossary:

SSN - Social Security Number

PII - Personally Identifiable Information

PHI - Protected Health Information

HIPAA - Health Information Portability Protection Act

CUI - Controlled Unclassified Information

EAR - Export Administration Regulation

ITAR -  International Traffic in Arms Regulation

PCI - Payment Card Industry Security Standards


‘Everyday’ Tasks that involve Moderate and Low risk data:

These services may be used for everyday tasks involving non-PII personnel records, non-PII student records which include grades, and certain approved non-HIPAA PHI. Should not be used for SSNs, Protected Health Information, and other high risk PII.

High Risk Data:

The following services may be used for use cases that involve PII, such as SSNs, Drivers License Numbers, most non-HIPAA PHI, etc., and other sensitive information. If storing datasets (a file containing records about multiple individuals), limit the number of records per dataset to 250.  

Restricted Data: 

Access to some data is strictly controlled and restricted by laws, regulations, or contracts. Only approved systems should be used for storing these data.  

PCI - solutions approved by the campus PCI Governance group

HIPAA - UMD is a hybrid entity and HIPAA use cases are extremely isolated (UHC and HESP); PHI (as defined by HIPAA) should only ever exist in approved covered component information systems. There may be limited exceptions for SecureShare when communications need to be made outside of the covered component system. 

EAR/ITAR - CUI Environment

CUI - CUI Environment