Version 1.2
Author
Duke University IT Security Office (ITSO)
Duke Health Information Security Office (ISO)
Authority
Duke University Chief Information Security Officer
Duke Health Chief Information Security Officer
Determining the Nature of the Data
Questions to Consider
• Are you storing Sensitive data elements (for example, ePHI, Social Security Numbers, DMCA, PCI DSS or FERPA data)? See the Duke Data Classification Standard for the definitions of Sensitive, Restricted, and Public data.
Use of Duke Services
Selecting a Duke Service Depending on Data Classification
The following chart outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted and Public data. (Staff can also use the SecureIT decision tree tool.) Duke faculty, students and staff should be aware that there may be institutional, legal, regulatory and contractual obligations that require the use of specific storage options. For example:
- ITAR and PCI-related data always require Security Office consultation before use.
- FERPA: Consult with the Registrar’s Office.
- FISMA and Veterans Administration: PACE is required storage. REDCap is not allowed.
- Social Security Numbers: Collection requires an institutional exception.
- GDPR: Consult with the Privacy Office for allowable options.
- Duke Health non-consented clinical research data: PACE is required storage.
All users of the solutions and services that store Duke data must adhere to the following:
- Use only for the approved intended use.
- Store only the information you need or plan to use.
- Provide access only to authorized or approved individuals; remove access immediately when no longer need.
- Do not provide public or broad access to data without institutional approval
- Retain data only as long as it is needed, or in accordance with Duke retention requirements.
| Service |
|
Data
|
|---|---|---|
|
Duke OIT CIFS/NFS Home Drive Service
Duke OIT & Departmental File Shares |
Duke University
|
r,p
|
|
Duke University Protected Network
Duke University Protected Research Data Network (PRDN) |
Duke University
|
s,r
|
|
Duke Compute Cluster
|
Duke University
|
s,r
|
|
DHTS Home Drive Service
|
Duke Health
|
s,r
|
|
Duke Health Network Storage
|
Duke Health
|
r,p
|
|
Duke Health CITRIX VDI
|
Duke Health
|
s,r
|
|
Duke Health Protected Analytics Compute Environment (PACE)
|
Duke Health
|
s,r
|
|
Duke University SharePoint
Duke Health SharePoint
|
Duke University
Duke Health
|
s,r,p
|
|
Duke University Tableau Instance
Duke Health Tableau Instance |
Duke University
Duke Health
|
s,r,p
|
|
Duke DOCR REDCap
|
Duke University
Duke Health
|
s,r,p
|
|
Duke’s Wiki
|
Duke University
Duke Health
|
r,p
|
|
Sites @ Duke
|
Duke University
Duke Health
|
r,p
|
Use of Cloud Services
Selecting a Cloud Service Depending on Data Classification
The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted and Public data.
|
Service
|
Available to:
|
Data
|
|---|---|---|
|
Duke's Box Service*
|
Duke University
Duke Health
|
|
|
Duke's Qualtrics Service
|
Duke University
Duke Health
|
|
|
Duke's Microsoft OneDrive Service*
|
Duke University
Duke Health
|
|
| Duke's Microsoft Teams* ** |
Duke University
Duke Health
|
|
|
Duke's Jabber
|
Duke University
Duke Health
|
|
|
Duke's Zoom ***
|
Duke University
Duke Health
|
|
|
Duke's Zoom Telehealth***
|
Duke Health
|
|
|
Duke's WebEx ***
|
Duke University
Duke Health
|
|
|
Duke University Adobe Sign **** |
Duke University
Duke Health |
|
|
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform)
|
Duke University
Duke Health
|
p
|
*No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
**If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
*** For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
**** Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
Use of Other Cloud Services (Personal Use)
Selecting a Cloud Service Depending on Data Classification
The following chart outlines outside cloud services appropriate for personal use. in general, these services are not approved for official Duke use without consultation with the Duke security offices and/or privacy offices.
|
Service
|
Available to:
|
Data
|
|---|---|---|
|
Apple iCloud
|
Personal
|
p
|
|
Personal Box Account
|
Personal
|
p
|
|
Personal OneDrive Account
|
Personal
|
p
|
|
DropBox
|
Personal
|
p
|
|
Google Apps (including Gmail)
|
Personal
|
p
|
|
Facebook (including Workplace)
|
Personal
|
p
|
| Slack | Personal | p |
Document Type:
Policy
Applicable To:
Duke Health
Duke University