Version 1.1
Author
Office of Information Technology (OIT)
Authority
Duke University Chief Information Officer
Duke University Chief Information Security Officer
Determining the Nature of the Data
Questions to Consider
• Are you storing Sensitive data elements (for example, ePHI, Social Security Numbers, DMCA, PCI DSS or FERPA data)? See the Duke Data Classification Standard for the definitions of Sensitive, Restricted, and Public data.
Use of Duke Services
Selecting a Duke Service Depending on Data Classification
The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted and Public data:
Service
|
Available to:
|
Data
|
---|---|---|
Duke OIT CIFS/NFS Home Drive Service
|
Duke University
Duke Health
|
r,p
|
Duke Shared Cluster Resource (DSCR)
|
Duke University
Duke Health
|
r,p
|
Duke Health FISMA Zone
|
Duke Health
|
s,r
|
Duke OIT & Departmental File Shares
|
Duke University
|
r,p
|
Duke’s Protected Network
|
Duke University
Duke Health
|
s,r
|
Duke Health SharePoint
|
Duke Health
|
s,r,p
|
Duke University SharePoint
|
Duke University
|
r,p
|
Duke’s Tableau Instance
|
Duke University
Duke Health
|
s,r,p
|
Duke’s Wiki
|
Duke University
Duke Health
|
r,p
|
Sites @ Duke (WordPress)
|
Duke University
Duke Health
|
r,p
|
Use of Cloud Services
Selecting a Cloud Service Depending on Data Classification
The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted and Public data.
Note: When data is shared for collaborative purposes, you are responsible for making certain that data is only shared to persons who are authorized to have access.
Service
|
Available to:
|
Data
|
---|---|---|
Duke's Box Service*
|
Duke University
Duke Health
|
|
Duke's Qualtrics Service
|
Duke University
Duke Health
|
|
Duke's Redcap Service
|
Duke Health
|
|
Duke's Microsoft Office 365 and OneDrive Service*
|
Duke University
Duke Health
|
|
Duke's Microsoft Office 365 Teams* ** |
Duke University
Duke Health
|
|
Duke's WebEx ***
|
Duke University
Duke Health
|
|
Jabber
|
Duke University
Duke Health
|
|
Zoom ***
|
Duke University
Duke Health
|
|
Adobe Sign **** |
Duke University
Duke Health
|
|
Amazon Web Services
|
Duke University
Duke Health
|
p
|
*No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
**If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
*** Duke Health may use Zoom for classes and meetings but NOT for clinical purposes to see patients or exchange Protected Health Information (PHI). Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
**** Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
Use of Other Cloud Services (Personal Use)
Selecting a Cloud Service Depending on Data Classification
The following chart outlines outside cloud services appropriate for personal use:
Service
|
Available to:
|
Data
|
---|---|---|
Apple iCloud
|
Personal
|
p
|
Personal Box Account
|
Personal
|
p
|
Personal OneDrive Account
|
Personal
|
p
|
DropBox
|
Personal
|
p
|
Google Apps (including Gmail)
|
Personal
|
p
|
Facebook (including Workplace)
|
Personal
|
p
|
Slack | Personal | p |
Document Type:
Policy
Applicable To:
Duke Health
Duke University