Understanding Data Classification

In order to properly secure your data, you must understand its classification and appropriate options for transporting and storage.

NOTE: If you have any questions about the proper handling of data, please contact Information Security.

Classification of Data Policy and Table

	Confidential Information				Public
Electronic Devices and Lehigh Hosted or Contracted Services	Class I Critical PHI¹	Class I Critical non-PHI	Class II Restricted	Class III Institutional/ Proprietary	Class IV Public/ Unrestricted
Lehigh Owned - LTS-Managed Whole Disk Encrypted Devices including, but not limited to: Computers Network-Attached Storage (NAS) Externally Connected Storage Devices
Personally Owned Computers or Storage Devices
Unmanaged Devices (Lehigh Owned or Personal, e.g. mobile)
Lehigh University LAN Drive (H: I: J: Drives)
Approved Access-Controlled LAN Drive Storage*
Web and Storage Space
Ceph Storage with LTS Access-Control (R Drive)
Confluence
Course Site
DocuSign
Drupal and Lehigh Hosted Webpages
Email - Lehigh Gmail
JIRA
Lehigh File Sender
Lehigh Google Drive** (encrypted in transit and at rest) NOTE: Google stores data on servers located domestically and abroad.
Lehigh Dropbox for Business³ (encrypted in transit and at rest) NOTE: All data is stored in the US.
Personal Dropbox
Lehigh Microsoft OneDrive** (encrypted in transit and at rest)
Qualtrics
RedCap
Slack
Zoom
Zoom - HIPAA²

Acceptable Not Acceptable Some exclusions (noted below)

*Must be approved by Information Security

** ITAR and Export controlled information under U.S.laws are excluded. Although ITAR and Export controlled information under U.S. laws are classified as Type II data, it cannot be stored on systems outside the US. In addition to storage restrictions on this type of data, there are also restrictions on sharing such data with foreign nationals of restricted countries. It is up to the data owner to determine whether any export-controlled data may be shared with someone or transported to a particular country. Guidance can be found at the US Department of Commerce Control List site at: http://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl

¹ Protected Health Information (PHI)

² Zoom can be used for PHI or Class 1 data but you MUST have your account converted to a HIPAA compatible account and you will lose some Zoom functionality (i.e. Cloud recording, breakout rooms, etc)

³ Dropbox for Business can be used for PHI or Class 1 data but you MUST have a team drive set up by LTS and the Class 1 data put into the C1 folder. Do not share any files externally.

LTS Knowledge Base

Understanding Data Classification

Confidential Information

Public

Electronic Devices and

Lehigh Hosted or Contracted Services

Class I
Critical
PHI¹

Class I
Critical
non-PHI

Class II
Restricted

Class III
Institutional/
Proprietary

Class IV
Public/
Unrestricted

Lehigh Owned - LTS-Managed Whole Disk Encrypted Devices
including, but not limited to:

Computers

Network-Attached Storage (NAS)

Externally Connected Storage Devices

Personally Owned Computers or Storage Devices

Unmanaged Devices (Lehigh Owned or Personal, e.g. mobile)

Lehigh University LAN Drive (H: I: J: Drives)

Approved Access-Controlled LAN Drive Storage*

Web and Storage Space

Ceph Storage with LTS Access-Control (R Drive)

Confluence

Course Site

DocuSign

Drupal and Lehigh Hosted Webpages

Email - Lehigh Gmail

JIRA

Lehigh File Sender

Lehigh Google Drive** (encrypted in transit and at rest)
NOTE: Google stores data on servers located domestically and abroad.

Lehigh Dropbox for Business³ (encrypted in transit and at rest)
NOTE: All data is stored in the US.

Personal Dropbox

Lehigh Microsoft OneDrive** (encrypted in transit and at rest)

Qualtrics

RedCap

Slack

Zoom

Zoom - HIPAA²