Versions Compared

Old Version 2

changes.mady.by.user Mark Cather

Saved on

compared with

New Version Current

changes.mady.by.user Carlos E. McKinney

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As a UMBC staff or faculty member, it is essential that you take appropriate steps to protect

...

University information.  

If you have any questions about devices you want to use or how to classify information, please contact the DoIT Security Department at security@umbc.edu. 

It is better to ask before possibly causing an information breach.

University information is broadly categorized into one of four levels.

  • Level 0 - Public Information
    • Level 0 information is information that is public to the world and not subject to any laws or restrictions on who can access it.  This information could be posted on a billboard anywhere in the world, and it would be no problem.
  • Level 1 - UMBC Proprietary Information & FERPA
    • Most of the information used as a part of the academic and business processes of UMBC is Level 1 data.  This includes any information that is covered under FERPA and any information that is related to UMBC business or academic programs, that isn't covered by another law or contractual restriction.  
  • Level 2 - Confidential Information
    • Level 2 information is any information that could be implicated in a data breach under identity theft laws.  This includes information such as:
      • Social Security Numbers
      • Drivers License Numbers
      • Passport and VISA Numbers
      • Credit Card Numbers (for non-UMBC credit cards)
      • Financial Account Numbers (for Financial Accounts Outside of UMBC)
  • Level 3 - High Security Information / Legal Protections Required
    • Level 3 data is our highest classification of general information at UMBC.  This level includes information that must be protected specifically under state, federal, or international law.  The main law that falls under this category is health information that is covered by HIPAA. 

...

Information Classification

The first step in understanding which devices can be used with which data is to understand the classification of the information you need to use with the device.  

The four levels of information classification at UMBC are described through this FAQ: Information Classification at UMBC

Permitted Devices by Information Classification

The way that information needs to be secured depends on the level of the information.

...

The higher the level, the more security

...

needs to be applied. DoIT has created a matrix to outline which types of devices are appropriate to use with certain levels of data. Additionally, the device must match the highest level of information on the device. For example: if a computer is regularly used with Level 1 information and has only a few Social Security numbers on it for a one-time task, the whole device must match the higher Level 2 requirements (due to the SSNs), or the SSNs must be removed from the computer.  

It is always better to use a UMBC Owned Device or the UMBC Virtual Desktop Environment for UMBC work whenever possible,

...

even with Level 0 and Level 1 Information.


Level 0

Level 1

Level 2

Level 3

UMBC Owned Device

Yes

Yes

Yes**

Yes**

UMBC Virtual Desktop Environment

Yes

Yes

Yes

No

Employee Owned Device

Yes

...

No

No

No

Public Device 

Yes

No

No

No

** The UMBC Owned Devices need to have particular security configurations and tools installed to be able to work with Level 2 and Level 3 information.

...

 

For information on using the UMBC Virtual Desktop Environment, please review the following FAQ:  UMBC VDE

If you have any questions about devices you want to use or how to classify information, please contact the DoIT Security Department at security@umbc.edu. 


Image Added