Policies & Data Use Guidelines

Cybersecurity Standards

These are the IT security policies and standards that govern the University of Maryland, Baltimore County (UMBC). These guidelines are informed by a multi-tiered framework of legal, regulatory, and policy requirements set forth at the federal, state, University System of Maryland (USM), and university levels. UMBC translates these requirements into practical IT security controls – the technical and procedural measures employed to secure access to our data, systems, and networks. The core mission of these controls is to prevent the loss, exposure, or operational compromise of sensitive information and critical IT resources. By adhering to these standards and policies, UMBC ensures compliance with applicable regulations and effectively manages the ever-evolving landscape of information security risks.

Cybersecurity Policies

Data Use Guidelines

The most commonly used information has been pulled out below. Read the full Data Use Guidelines here. Guidance for Data Stewards and Principal Investigators is also available in the full Data Use Guidelines.

These guidelines are intended to:

  1. provide guidance to UMBC community members on how to safely and securely work with data that is classified higher than level 0, normally associated with public data;
  2. provide guidance to Data Stewards, including Principal Investigators, for guidance in selecting the appropriate data classification for data that is not level 0 and requires additional security controls.

These guidelines provide supporting information to properly implement the UMBC Policy on the Classification and Protection of Confidential Information.

Before UMBC employees can access student educational data protected by FERPA they are required to review FERPA requirements and attest they will abide by them. Also, all staff in departments considered high risk are required to complete UMBC’s self-paced security training, which is encouraged for all employees.

The Four Levels of Data Classification

Each of these four levels of classification has a set of security controls associated with protecting the information as required by policy or regulation. It is important for individuals to understand the classification system because this dictates what can be done with data.

  • Level 0. Data explicitly or implicitly approved for distribution to the public where there is little institutional risk associated with this system due to security.
  • Level 1. Data intended for internal University use and not approved for distribution to the public.
  • Level 2. Protected data that if acquired could be used for identity theft.
  • Level 3. Highest risk data, systems and applications or services that have externally mandated IT compliance requirements.

Data that is Level 0 can be emailed or manipulated on any computer, including your personal computer. On the other hand, Level 3, such as patient medical data, is never allowed to be emailed or manipulated outside of the guidance given by the departments that are responsible for this data.

Approved Risk Level By Storage Category or Device

As technology changes, there may be services or applications not listed below. Before posting or storing Sensitive Information in such locations, please contact DoIT by submitting an RT request or emailing security@umbc.edu.

Services permitted to store or process level 0 only:
  • Personally Owned Workstations: Personally owned workstations can only be used to store UMBC public information.
  • UMBC WordPress Sites: This is what we use for Sites.umbc.edu, our campus web presence in the departments.
  • Mobile Devices: Mobile devices, whether UMBC or personally-owned, should be used only with public UMBC information.
  • UMBC WIKI Sites
  • Other Public Cloud Storage Sites (e.g., iCloud, Dropbox): Institutional data, including research data, can not be stored on personal cloud services where UMBC does not have a contract in place. UMBC presently has contracts with Google, Microsoft, Box, LabArchives, and AWS.
Services permitted to store or process level 0 or 1:
  • Email: Never send level 2 or higher data through email regardless of the email provider. Send a link to data (e.g. link to Box document containing the data) located in a secure location.
  • UMBC Owned Workstations: Level 0 and 1 data may be stored locally on your workstation. If you have level 2 data, this must be stored on a UMBC approved cloud storage platform, this includes Microsoft OneDrive, Google Drive or Box.com.
  • LabArchives Notebook: LabArchives is an Electronic Lab Notebook with data storage integration licensed by UMBC.
  • Departmental Servers: Unless this has been reviewed and approved by DoIT’s security team, no department servers (such as those in CSEE, Math, or IS) operate with security controls designed to meet level 2 or higher.
  • myUMBC Groups: If you have data classified at Level 1 that you want to share with other team members, please consult with the myUMBC team to make sure your group sharing settings are set to private.
Services permitted to store or process level 0, 1 or 2:
  • Google Apps: Google Drive is now authorized for Level 2 data. We require that anyone wishing to use Google for Level 2 data use a shared Google Drive. We will set up the policies to enforce data protection on the shared drive.
  • Box.com: Use of the Box desktop syncing tool for level 2 Sensitive Data is not permitted. Departments should meet with DoIT prior to putting any level 2 data on Box to make sure that adequate controls are in place. ExpanDrive and Box Drive (for mapping box folders as a network drive on your work desktop) are permitted. Box currently does not meet HIPAA or export controlled data security requirements.
Deprecated

Active Directory Centralized File Share: No new level 2 files should be placed on Active Directory, we are deprecating this service for level 2.

Services permitted to store or process level 0, 1, 2 or 3:
  • Microsoft O365: Microsoft OneDrive is recommended over Box. Any level 3 data must be discussed with DoIT Security to ensure proper compliance measures are in place
  • Encrypted Portable Electronic Storage Media: If you need to store Level 2 or 3 data, Level 2 and 3 data must be explicitly approved by DoIT Security.