Duke Services and Data Classification

Version 1.2

Author


Duke University IT Security Office (ITSO)
Duke Health Information Security Office (ISO)
 

Authority


Duke University Chief Information Security Officer
Duke Health Chief Information Security Officer
 

Determining the Nature of the Data


Questions to Consider

• Are you storing Sensitive data elements (for example, ePHI, Social Security Numbers, DMCA, PCI DSS or FERPA data)? See the Duke Data Classification Standard for the definitions of Sensitive, Restricted, and Public data.
 

Use of Duke Services


Selecting a Duke Service Depending on Data Classification

The following chart outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted and Public data. (Staff can also use the SecureIT decision tree tool.) Duke faculty, students and staff should be aware that there may be institutional, legal, regulatory and contractual obligations that require the use of specific storage options. For example:

All users of the solutions and services that store Duke data must adhere to the following:

  • Use only for the approved intended use.
  • Store only the information you need or plan to use.
  • Provide access only to authorized or approved individuals; remove access immediately when no longer need.
  • Do not provide public or broad access to data without institutional approval
  • Retain data only as long as it is needed, or in accordance with Duke retention requirements.
Service
    Available to:
Data
Duke OIT CIFS/NFS Home Drive Service
Duke OIT & Departmental File Shares
Duke University
r,p
Duke University Protected Network
Duke University Protected Research Data Network
Duke University
s,r
Duke Compute Cluster
Duke University
s,r
DHTS Home Drive Service
Duke Health
s,r
Duke Health Network Storage
Duke Health
r,p
Duke Health CITRIX VDI
Duke Health
s,r
Duke Health Protected Analytics Compute Environment (PACE)
Duke Health
s,r
Duke University SharePoint
Duke Health SharePoint
Duke University
Duke Health
s,r,p
Duke University Tableau Instance
Duke Health Tableau Instance
Duke University
Duke Health
s,r,p
Duke DOCR REDCap
Duke University
Duke Health
s,r,p
Duke’s Wiki
Duke University
Duke Health
r,p
Sites @ Duke
Duke University
Duke Health
r,p
 

Use of Cloud Services


Selecting a Cloud Service Depending on Data Classification

The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted and Public data.
Service
Available to:
Data
Duke's Box Service*
Duke University
Duke Health
 
Duke's Qualtrics Service
Duke University
Duke Health
 
Duke's Microsoft OneDrive Service*
Duke University
Duke Health
 
Duke's Microsoft Teams* **
Duke University
Duke Health
 
Duke's Jabber
Duke University
Duke Health
 
Duke's Zoom *** 
Duke University
Duke Health
 
Duke's Zoom Telehealth*** 
Duke Health
 
Duke's WebEx ***
Duke University
Duke Health
 

Duke University Adobe Sign ****
Duke Health Adobe Sign ****

Duke University
Duke Health
 
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform)
Duke University
Duke Health
p
*No ITAR or PCI related data may be stored on Box or Microsoft Office 365.  For additional details see: https://box.duke.edu/security-and-usage/
**If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
*** Duke Health may use Zoom for classes and meetings but NOT for clinical purposes to see patients or exchange Protected Health Information (PHI). Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom. 
**** Specific guidelines exist for the use of Adobe Sign. For more see General Information and License RestrictionsNote: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
 

Use of Other Cloud Services (Personal Use)


Selecting a Cloud Service Depending on Data Classification

The following chart outlines outside cloud services appropriate for personal use. in general, these services are not approved for official Duke use without consultation with the Duke security offices and/or privacy offices.
Service
Available to:
Data
Apple iCloud
Personal
p
Personal Box Account
Personal
p
Personal OneDrive Account
Personal
p
DropBox
Personal
p
Google Apps (including Gmail)
Personal
p
Facebook (including Workplace)
Personal
p
Slack Personal p
 
Document Type: 
Policy
Applicable To: 
Duke Health
Duke University