Skip to main content
uta
uta

Sanctioned University and Cloud Data Storage Locations

Contents

  I. Overview and Purpose
  II. Scope
  III. Rationale
  IV. General Requirements and Responsibilites
  V. Regulated Data
  VI. Sanctioned Services and Locations:
    A. Cloud Storage Services
    B. Cloud Based Survey Tools
    C. Encrypted computers and External Drives
    D. Centrally Provided Network Drives
    E. Centrally Provided E-Mail and Calendar Systems
    F. Centrally Provided Content Management, Learning Managment and Collaboration
    G. Centrally Provided Academic and Research Systems
  VII.Updates and Modifications to this Guideline
  VIII.Revisions

I. Overview and Purpose

This guideline has been established as reference for all UT Arlington faculty, researchers, students and staff seeking sanctioned or authorized centrally provisioned locations where electronic data can be collected, stored, manipulated, transferred or otherwise accessed. Unless noted otherwise, the sanctioned services and storage locations listed in this document have been vetted for information security protection controls.

This document should be considered non-comprehensive as it is limited to listing services that are provided by the Office of Information Technology (OIT) or other departments providing institution-wide IT services. Secure storage or services that are acquired or provisioned by a department or researcher for limited access are not listed, but may fall under one of the categories listed below. Please contact the Information Security Office (security@uta.edu) if additional services need to be added, or if there are questions about the security practices noted.

II. Scope

This guideline applies to all University Data generated, stored, or otherwise handled by full and part time employees, including student workers and contractors. Similarly, this guideline also applies to all students who handle Confidential data directly related to their research. 

III. Rationale

Certain data handled by academic, operational or research departments must meet information security and data integrity requirements throughout its lifecycle in order to meet federal, state or UT regulations. Consequently, it is the fiduciary responsibility of all users to make conscientious decisions about how University Data is protected and made available to the Institution when required. In particular, it is the responsibility of the various academic, administrative and research unit heads to implement IT security standards and controls to ensure the confidentiality, integrity and availability of University Data.

Whereas some units may be completely self-sufficient to meet IT security requirements, most choose to outsource a significant portion of IT security responsibility to UT Arlington’s Office of Information Technology (OIT) or to other third party (cloud) providers. OIT is responsible for providing sanctioned centralized services that conform to UT Arlington’s information security program.

IV. General Requirements and Responsiblities

1. Consistent with UT System policy, storing SSN’s should be avoided. If storage or handling of SSNs are approved (by executive managmeent or IRB protocol), access must be restricted, user authentication always required and data only accessed on a university owned encrypted computer.

2. It is the responsibility of all users (faculty, staff, researchers and students) to secure the data under their custodianship following best practices for physical and information technology security, as well as conform to all policies and standards established by UTA and UT System, and to follow regulations established by the State of Texas and federal government.

3. All users and collaborators be aware of where confidential/sensitive information might be downloaded and stored (for example, a web browser accessing box.com may cache or store downloaded sensitive data on a shared and non-university owned encrypted computer).

4. In situations where multiple collaborators require access to a shared resource, the Department Head or Faculty Advisor/Principal Investigator must maintain control of the data.

5. Each department head or researcher must ensure that the final disposition of the data meets records retention rules, and should ensure provisions are in place to ensure access to the data in the event of a disasters or for any other time-sensitive legal or institutional reason.

V. Regulated Data

1. Regulated data such as those covered by Export Control or invovling identified human subjects must be reviewed by Research Administration.

2. Appropriate use, sharing or handling of regulated data covered under privacy laws (such as FERPA or HIPAA) must be reviewed by the Office of University Compliance and Legal Affairs.

3. Contact the Information Security Office (security@uta.edu) for advice on controls and best practices related to research, business or instruction.

VI. Sanctioned Services and Locations

A. Cloud Storage Services

Resource Name UTA Contract Centrally Supported For Employee Use For Student Use For FTE External Collaboration Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

UTA Box
(uta.box.com)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Ask ISO

Yes

No

Deidentified

No

OneDrive (onedrive.live.com)

Yes

Yes

No

Yes

No

Yes

Yes

No

Yes

No

No

No

Dropbox

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

Google Drive

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

iCloud

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

Elsevier Mendeley

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

IMPORTANT: 

1) UTA does not have contracts for storing UTA data on other cloud storage vendors like Dropbox, Google Drive and iCloud, and therefore can only be used for Published data or for non-UTA business.

2) OneDrive is currently only available to students.

3) UTA Box can be used for both internal and external collaboration, and can be used by faculty, staff and students. Employees should be aware that uta.box.com is an enterprise service that is distinct from consumer www.box.com. The latter can be used for non-UT Arlington business but never used to store UT Arlington confidential or controlled data.

B. UTA Box Feature Include:

  1. NetID authentication.
  2. Data encrypted at rest and transmission.
  3. Access control.
  4. Version history.
  5. Collaboration amoung students, faculty, staff and external collaborators.

C. *UTA Box Restrictons
Always consult the Information Security Office before storing regulated data.

  1. uta.box.com should be used as secondary storage and should not be considered a replacement for personal (J:) and departmental (K:) drives, where primary copies should exist.
  2. Box Sync tool must never be used for Confidential or Controlled data on a non-UT Arlington computer that does not have full disk encryption and access control enabled to prevent unauthorized individuals (including family or friends) from accessing the data.
  3. When sharing Confidential or Controlled data, it is important to ensure folders are password protected or have appropriate access control to prevent accidental data compromise or leak.
  4. External collaboration involving confidential UT Arlington data should, where possible, be through sponsored NetID. At minimum shared folders must at all times be under the control of a UTA employee where UT System ownership of the data can be asserted.

B. Cloud Based Survey Tools

Resource Name UTA Contract Centrally Supported For Employee Use For Student Use For FTE External Collaboration Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

Qualtrics
(uta.qualtrics.com)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Ask ISO

Yes

No

Deidentified

No

Survey Monkey

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

IMPORTANT: Qualtrics is currently the approved institutionalal survey tool; UTA does not have contracts for collecting and storing data on other survey tools.

C. Computers and External Drives

Resource Name

Meets
UTA Standards
Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

UTA owned computer that is encrypted and has OIT standard image

Yes

Yes

Yes

Ask Dept.

No

Yes

Yes

Yes

Yes

No

Identified

Per TCP

UTA owned ISO approved external drives that are encrypted

Yes

Ask Dept

Yes

Ask Dept.

Yes

Yes

Yes

Yes

Yes

No

Identified

Per TCP

UTA owned computer that is not encrypted

No

Ask Dept

No

Ask Dept

No

Yes

Ask ISO

No

No

No

Deidentified

No

UTA owned external drives that are not encrypted

No

No

No

Yes

Yes

Yes

Ask ISO

No

No

No

Deidentified

No

A. General
All computers (desktop, laptop and mobile devices), as well as portable devices (external hard drives, CD's, thumbdrives) containing confidential information, must be encrypted following the instutions standards. Where possible, all data must me stored on central storage (K: and J: drives).

B. Features
Security related features for encrypted computers include:

  1. Protected by University firewall, if accessed from on campus.
  2. NetID authentication in addition to Active Directory permissions is used for controlling access to laptops and desktops..
  3. University owned computers are eligible to run CrashPlan for backups.

C. *Restrictons
Always consult the Information Security Office before storing regulated data.

  1. Encrypted devices be used for most regulated data including FERPA, HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers; however additonal controls may be required such as restricted computer access and physical security (cable locks, locked room, etc.)
  2. Approved encryption methods must be used.

D. Centrally Provided Network Drives

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

homefs.uta.edu (Individual J: )

Yes

Yes

Yes

Yes

No

Yes

Yes

Ask ISO

Yes

No

Identified

No

kdrivefs.uta.edu (Department K: )

Yes

Yes

Yes

No

No

Yes

Yes

Ask ISO

Yes

No

Deidentified

No

researchfs.uta.edu (Research)

Yes

Yes

Yes

Ask ISO

No

Yes

Yes

Ask ISO

Yes

No

Identified

Per TCP

A. General
OIT provided network storage is the primary location for all University Data that does not exist in a primary system of record. Primary systems of record include MyMav (Student Information System), UT Share (Human Capital Management, Financial Management System), as well as supporting systems such as MS Exchange, Blackboard and ImageNow. Additional notes:

  1. Individual (J:) network drives are automatically provisioned for employees and students.
  2. Department (K:) network drives are provisioned primarily for employees only at the request of the department head. Purpose built network drives can be provisioned at the request of the department head. The department head or data owner is required to contact OIT to verify that appropriate restrictions are in place and to review access lists.
  3. Students who work for the Institution are considered employees and may be granted access to department folders at the discretion of the department head.
  4. Department heads may request network drives for academic or student use these drives are not permanent and may be destroyed after a mutually predetermined period.
  5. ResearchFS is specially provisioned for researchers with regulated data and can be used for storing large data sets. Access to ResarchFS must be approved by the Office of Resarch Administration and the Information Security Office.

B. Features
Security related features include:

  1. Protected by University firewall.
  2. NetID authentication in addition to Active Directory permissions is used for controlling access to drives.
  3. Network Drives are routinely backed up by OIT.

C. *Restrictons
Always consult the Information Security Office before storing regulated data.

  1. General purpose department network drives should not be used for storing any regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers, unless every individual is authorized to access such data. Instead, restricted network shares or folders with a defined access control list must be requested from OIT.
  2. VPN and two factor authentication (ie NetIDPlus) must be used when accessing network drives from off campus locations.

E. Centrally Provided E-Mail and Calendar Systems

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

exchange.uta.edu

Yes

Yes

Yes

No

Yes

Yes

Yes

No

Yes

No

Deidentified

No

O365

Yes

Yes

No

Yes

Yes

Yes

Yes

No

Yes

No

Deidentified

No

Google Gmail

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

A. General
OIT provided email servers are the only approved systems for email services related to university business, instruction and research.

  1. NetID authentication is used for controlling access exchange mailbox.
  2. Students who work for the Institution are considered employees and may be granted access to Exchange accounts at the discretion of the department head.
  3. O365 does not depend on NetID authentication – access may persist beyond a student’s enrollment at UTA.
  4. Resources required for student use need to be approved by a department head or organization advisor.

B. Features
Security related features for Exchange include:

  1. Protected by University firewall.
  2. NetID authentication in addition to Active Directory permissions is used for controlling access to Exchange accounts.
  3. Email on Excahnge are routinely backed up by OIT.

C. *Restrictons
Always consult the Information Security Office before storing regulated data.

  1. Email must not be used for most regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers.

F. Centrally Provided Content Management, Learning Managment and Collaboration

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

www.uta.edu

Yes

Yes

Yes

No

No

Yes

No

No

No

No

No

No

blog.uta.edu

Yes

Yes

Yes

No

No

Yes

No

No

No

No

No

No

sharepoint.uta.edu

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Deidentified

No

blackboard.uta.edu

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

No

Deidentified

No

wweb.uta.edu

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Deidentified

No

mavspace.uta.edu

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Deidentified

No

wiki.uta.edu

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

No

Deidentified

No

A. General

  1. External collaboration will be through public facing websites. Ability to modify and update content by an external collaborator will require a sponsored NetID
  2. NetID authentication is used for controlling access to content or providing the ability to edit and publish public facing content.
  3. Students who work for the Institution are considered employees and may be granted access to department resources at the discretion of the department head.
  4. Resources required for student use need to be approved by a department head or organization advisor.

B. Features
Security related features include:

  1. Protected by University firewall.
  2. NetID authentication is available on certain tools like sharepoint to protect access to data.
  3. These tooks are backed up by OIT.

C. *Restrictons
Always consult the Information Security Office before storing regulated data.

  1. Regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers should never be stored unless every individual is authorized to access such data. 
  2. VPN and two factor authentication (ie NetIDPlus) must be used when accessing network drives from off campus locations.
  3. These services are available from the internet and special caution must be made to ensure non-public data is controlled.

G. Centrally Provided Academic and Research Systems

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

omega.uta.edu
(Academic/Instruction)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Deidentified

No

gamma.uta.edu
(Academic/Instruction)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Deidentified

No

teach-1.uta.edu

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Deidentified

No

hpcroot.uta.edu
(high performance computing)

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Deidentified

No

researchfs.uta.edu
(regulated storage)

Yes

Yes

Yes

Yes

No

Yes

Yes

Ask ISO

Yes

No

Identified

Per TCP

A. General

  1. These are linux based general computing servers.
  2. External collaboration will be through a sponsored NetID 
  3. NetID authentication is used for controlling access to content.
  4. Students who work for the institution are considered employees and may be granted access to non-student resources at the discretion of the department head or sponsor.
  5. ResearchFS is specially provisioned for researchers with regulated data and can be used for storing large data sets. Access to ResarchFS must be approved by the Office of Resarch Administration and the Information Security Office.

B. Features
Security related features include:

  1. Protected by University firewall.
  2. NetID authentication is available on certain tools like sharepoint to protect access to data.
  3. These servers are backed up by OIT.

C. *Restrictons
Always consult the Information Security Office before storing regulated data.

  1. Regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers should never be stored unless every individual is authorized to access such data. 
  2. VPN and two factor authentication (ie NetIDPlus) must be used when accessing network drives from off campus locations.
  3. Some of these services are available from the internet and special caution must be made to ensure non-public data has appropriate access controll implemented.

VII. Updates and Modifications to this Guideline

This document will be modified as necessary to address changes in technology, processes and identified risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of University data. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.

VIII. Revisions

Version Date Changes
1.0 7/25/2017 Initial Publication