Excerpt |
---|
A listing of most of our data processing services and our recommended security position regarding various levels of data restrictions. This information was largely gathered (with permission) from Michigan State University and tailored to UWF's security posture. |
Legend | |
✅ | Allowed |
⚠️ | Depends, see Description of Compliance information. |
🚫 | Not allowed |
Print using the Print Dialog method in order to include the symbols. Export to PDF does not map the symbols correctly.
Service | Description of Service | Description of Compliance | |||||||
---|---|---|---|---|---|---|---|---|---|
ArgoApps | ArgoApps uses a more modern ‘remote access’ technology to deliver programs to end-devices which resemble programs running natively on client’s devices yet are actually running on our on-premises servers. These applications are delivered in two different yet secure and encrypted (in transit) manners. Via the locally installed “Citrix Client” software or via HTML5 (for devices which can run modern browsers). | The storage of the data being processed by the software delivered via ArgoApps will be the defining factor on Data Restrictions.
| Use restrictions for “Argofiler” OR Use restrictions for “Personally owned devices (phone, tablet, laptop, etc.)” OR G Drive as merited by the option selected and described under “Description of Compliance”. | ||||||
Argofiler | Argofiler is a shared service provides storage solutions to UWF students, faculty and staff. It is intended to provide cost-effective, easy-to-use storage for administrative and research data. Argofiler is available using the Common Internet File System (CIFS) protocol. Argofiler with CIFS enables UWF system administrators to manage storage provisioning and access for their departments. | Argofiler provides a secure environment to store most types of sensitive data. However, you still must exercise caution when storing sensitive data in Argofiler which is not encrypted by default. Data is backed up for disaster recovery. Social Security numbers (SSNs) should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. ITS Help Desk can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact the ITS Help Desk.) | ✅ Attorney/Client Privileged Information ✅ Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) ✅ Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Banner and ODS | The UWF Banner Enterprise Resource Program (ERP) and Operational Data Store supports reporting activity for university business. The data is organized in sets based on subject areas (for example, Payroll, Student Records, Financials). It is a university service, and only authorized university employees have access to it. | Banner and ODS may be used for
It may not be used for
| ✅ Attorney/Client Privileged Information ✅ Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ✅ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Canvas | Canvas is a cloud-based Learning Management System (LMS) developed by Instructure, Inc. Canvas provides a set of tools for teaching and learning allowing faculty to manage instructional workflows, communicate class requirements, share documents, manage assignments, assess student performance, distribute grades, support course collaboration and discussions. Canvas also offers the ability to integrate with many external tools. Canvas courses are linked to official UWF course rosters so course site access is automatically managed based on course enrollment. | Canvas is a university contracted-for service covered by the university’s agreement with Unizin. Canvas provides a secure environment in which to maintain or share share the university's sensitive unregulated data, as well as some—but not all—types of sensitive regulated data. All Canvas user data is stored in Amazon Web Services (AWS) data centers. While Canvas is secure, it does not comply with some specific regulatory and UWF policy requirements for certain types of protected regulated data. Data types that may not be maintained, shared, or processed in Canvas are:
| ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Cloud Storage included with some Software | You or your unit may purchase software licenses or subscriptions for your university work that include cloud-based storage. In most cases, this software is installed on your university-owned computer. For example, some areas make Adobe Creative Cloud software available to UWF units at a discount, and the software subscription includes access to Adobe's cloud-based storage. | Cloud-based storage that is provided as part of a user license or subscription (that is, storage that is tied to a named individual or group account) should not be used to maintain or share the university's sensitive data. Those who use cloud storage associated with a software license or subscription for university work are responsible for ensuring that sensitive university information is not placed or stored there. Important Password Tip: If you are asked to select a user ID and password for access to a software license or subscription and any associated cloud storage, do not use your ArgoNet password. Your ArgoNet password should be used only with services provided through the University of West Florida. | 🚫 Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) 🚫 IT Security Information 🚫 Other Sensitive Institutional Data 🚫 Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) 🚫 Sensitive Identifiable Human Subject Research 🚫 Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) 🚫 Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Docusign | The University has an enterprise license for Docusign. Docusign is the leading e-signature provider and this solution is used across campus for many workflows and processes. In order to be able to "create" documents a Docusign "Sender" certification is required (this can be accessed in SCOOP). The university currently has a license that has a set number of envelopes. However, if that threshold is reached, the overage will be addressed in the renewal the next year. So, in theory, our licensing is "unlimited". |
| ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) ✅ Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ✅ Social Security Numbers ⚠️ Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Dynamic Forms | Dynamic Forms provides a simple way for users to build Internet-based, sophisticated, interactive forms. Key features of this software includes electronic signatures, single sign-on, data exchange between Dynamic Forms and other software (such as Banner), and a user portal (for users to review pending and previously completed forms. |
| ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) ✅ Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ✅ Social Security Numbers ⚠️ Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Google “Additional Services” not covered under the TOS | The Google Additional Services (Non-Core) are those outside the Google at UWF Core Services. The Non-Core services are not covered by the university's Google Suite for Education agreement with Google. The Non-Core services include Blogger and YouTube, among many others. Google extensions and add-ons are also Non-Core. Any Google service not specifically identified in the Google at UWF List of Services as a Core service is considered Non-Core. Need to add Hangouts and Keep to Core Services* | Google Additional (Non-Core) Services may not be used to share or maintain any of the university’s sensitive data because these services are not covered by the university’s Google Suite for Education agreement. When members of the university community use one of these services for the first time, they are required to agree to the Google standard terms of service and privacy policy in order to use the service. | 🚫 Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) 🚫 IT Security Information 🚫 Other Sensitive Institutional Data 🚫 Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) 🚫 Sensitive Identifiable Human Subject Research 🚫 Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) 🚫 Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Google Drive or “G” Drive | Google Drive at UWF is a Core Service within the Google Suite for Education software available to eligible members of the university community. Drive is a document creation and collaboration application. It includes Google Documents, Presentations, Spreadsheets, Forms, and Drawings. | Google Drive at UWF is a university contracted-for service. It is covered by the university’s Google Suite for Education agreement. It provides a secure environment within which to maintain or share the university's sensitive unregulated data, as well as some—but not all—types of sensitive regulated data. Any restrictions on placing some types of sensitive regulated data in Google Drive are based on compliance rather than security. While Google Drive at UWF is secure, it does not comply with some specific regulatory and UWF policy requirements for certain types of sensitive regulated data. Among the types of data that may not be maintained, shared, or processed in Google Drive at UWF are:
| ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) 🚫 Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Gmail and Calendar | Google Mail and Calendar at UWF, as well as Inbox by GMail, are Core Services within the Google Suite for Education software provided to eligible members of the university community. | As Core Services, Google Mail and Calendar at UWF, as well as Inbox by GMail, are covered by the university’s Google Suite for Education agreement. These services provide secure environments for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. Social Security numbers should generally not be sent through email. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as Banner. The ITS Help Desk can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. Google Mail and Calendar at UWF, as well as Inbox by GMail, may not be used for
These data restrictions are compliance-based, not security-based. Regulatory requirements mandate that specific sensitive regulated data be restricted from this service, even though the service is secure. It may not be used for Protected Health Information because Google has not signed the necessary Business Associate Agreement mandated by HIPAA. Google may not be used for Export Controlled Research data because Google cannot ensure that only U.S. persons have access to or maintain its systems. | ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) 🚫 Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Google Sites, Talk/Hangouts, Keep, Groups | These are all Google at UWF Core Services that are provided to eligible members of the university community.
| These are Google Core Services covered by the university’s Google Suite for Education agreement. In general, they may not be used for sensitive regulated data. The exception to this is Student Educational Records (regulated by FERPA), which is permitted. Careful use of this data, in accordance with university policies and FERPA regulations, allows these Google services to be used by the students in, and instructors for, a class. | ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) 🚫 Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) 🚫 Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Document imaging and Scanning | Imaging Services provides a scanning application that enables the user to efficiently capture and organize images of paper documents or born-digital documents, retrieve those documents, and instantly access them using a web or client interface. Users may choose to leverage the central scanning service or set up unit-level self-scanning implementation. | ITS Imaging Services provides a secure environment for many types of the university’s sensitive institutional data. Note: Social Security numbers should only be used where required by law or where they are essential for university business processes. | ✅ Attorney/Client Privileged Information ✅ Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ✅ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Personal Accounts (Dropbox, OneDrive, iCloud, etc.) | Any personal account for an online service. This includes any IT service you have set up an account for that is not maintained by any UWF IT support group. Examples include many cloud-based storage services, including Dropbox, Evernote, iCloud, OneDrive (included in Microsoft Office 365 only allowed to Innovation Institute and FLVC), SugarSync, and so on. This also includes personal Google and other accounts—accounts outside the UWF domains that are not provided by the university. | Personally maintained services are those provided outside of the university that you sign up for or subscribe to on your own. They should never be used to maintain or share the university's sensitive data. External service providers, including cloud services, should not be used for university information that is private, personal, or sensitive, unless there is a contractual agreement between UWF and the service provider that protects the confidentiality of the information and data. Staff that use cloud computing services for university work are responsible for ensuring that sensitive information is not placed or stored in the cloud. Important Password Tip: When you create an account for a non-university service, do not use your ArgoNet password. Your ArgoNet password should be used only with services provided through the University of West Florida. | 🚫 Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) 🚫 IT Security Information 🚫 Other Sensitive Institutional Data 🚫 Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) 🚫 Sensitive Identifiable Human Subject Research 🚫 Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) 🚫 Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Personally owned devices (phone, tablet, laptop, etc.) | Any mobile phone, tablet, laptop, or other computing device that is personally owned, including devices subsidized by the university. | UWF recognizes that those who do work on its behalf may need to access or maintain sensitive university data on their own devices. <Need University Policy/Guidelines Here> guides this use. Departments and units have discretion to prohibit this use or impose additional requirements beyond those outlined in the policy.
| ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) ✅ Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
Qualtrics | Qualtrics Research Suite is a generalized survey service permitting the creation and distribution of surveys, as well as data storage and analysis. Use of the service is free to all University of West Florida units. | Qualtrics is a secure UWF contracted-for cloud service that can be used to maintain or share the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as Banner. The ITS Help Desk can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. Qualtrics should not be used to maintain or share Export Controlled Research. This is because Qualtrics cannot ensure that only U.S. persons have access to or maintain its systems. | ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
UWF Hosted Server | Hosted Servers use a virtual server environment managed by ITS. Generally and with agreement with ITS via an MOU you are the system administrator and install all software. On certain occasions your agreement with ITS allows for a Managed Server, which allows you to focus on managing applications instead of the operating system. Both options free you from managing physical servers and offer flexibility to select the right options for your campus computing needs. | Hosted servers are an ITS service maintained on the UWF Main Campus. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as Banner. The ITS Help Desk can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. | ✅ Attorney/Client Privileged Information ✅ Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
UWF Hosted Database (DBCENTRAL) | DBCENTRAL is a virtual server cluster combined with a managed database. It is provided by ITS. ITS will monitor, patch, and back up your database, so you can focus on managing your data and applications. You can greatly reduce effort and costs because you do not need to buy and manage your own hardware or software. You also have the flexibility to select the right options for your campus computing needs. | DBCENTRAL is a UWF service maintained on the UWF Main Campus. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as Banner. The ITS Help Desk can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. | ✅ Attorney/Client Privileged Information ✅ Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) ✅ Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) ✅ Student Loan Application Information (GLBA) ⚠️ Social Security Numbers 🚫 Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data | ||||||
WEPA Printing | WEPA Printing is UWF’s student “printing as a service” cloud printing provider. WEPA provides convenience to students by allowing 6 different methods by which to print to any of the physical printer stations around campus. For example a student could print from their residence hall and the print-out would be queued in the “cloud” and the student could pick up the physical prints by logging into a WEPA station with their Nautilus card and the print-out would be sent to that printer at that moment in time. | All files are encrypted during transit in the wēpa system and at rest in our data centers, with the exception of emailed attachments sent to us through insecure email. We have the ability to prohibit specific users from using email printing if there is a concern, but honestly, you can email from any email account and get a wēpa code (release code) anyway whether you are a registered user or not, so training is important regarding emailed documents for HIPAA (don’t do it). Print files are downloaded to the print station on demand, and the print file does live there on the hard drive for some time after printing (same applies to files printed from USB or from cloud storage sources). User print files are cleaned off of the print station hard drive within 24 hours / each day. This hard drive is within the computer that can only be accessed by the “master” key that opens the back of the print station. The printers themselves do not have storage. We are PCI compliant, and many of those rules serve to protect all of the data in our system, including user print files. | ✅ Attorney/Client Privileged Information 🚫 Export Controlled Research (ITAR, EAR) ✅ IT Security Information ✅ Other Sensitive Institutional Data ✅ Personally Identifiable Information (PII) 🚫 Protected Health Information (HIPAA) 🚫 Sensitive Identifiable Human Subject Research ✅ Student Education Records (FERPA) 🚫 Student Loan Application Information (GLBA) 🚫 Social Security Numbers ✅ Credit Card or Payment Card Industry (PCI) Information 🚫 Federal Information Security Management Act (FISMA) Data |
Anchor | ||||
---|---|---|---|---|
|