Skip to main content
uta
uta

Sanctioned University and Cloud Data Storage Locations

Contents

  I. Overview and Purpose
  II. Scope
  III. Rationale
  IV. General Requirements and Responsibilites
  V. Regulated Data
  VI. Sanctioned Services and Locations:
    A. Cloud Storage Services
    B. Cloud Based Survey Tools
    C. Computers and External Drives
    D. Centrally Provided Network Drives
    E. Centrally Provided E-Mail and Calendar Systems
    F. Centrally Provided Content Management, Learning Managment and Collaboration
    G. Centrally Provided Academic and Research Systems
  VII.Updates and Modifications to this Guideline
  VIII.Revisions

I. Overview and Purpose

This guideline has been established as reference for all UT Arlington faculty, researchers, students and staff seeking sanctioned or centrally provisioned locations where electronic data can be collected, stored, manipulated, transferred or otherwise accessed. Unless noted otherwise, the sanctioned services and storage locations listed in this document have been vetted for information security protection controls.

This document should be considered non-comprehensive as it is limited to listing services that are provided by the Office of Information Technology (OIT) or other departments providing institution-wide IT services. Secure storage or services that are acquired or provisioned by a department or researcher for limited access are not listed, but may fall under one of the categories listed below. Please contact the Information Security Office (security@uta.edu) if additional services need to be added, or if there are questions about the security practices noted.

II. Scope

This guideline applies to all University Data generated, stored, or otherwise handled by full and part time employees, including student workers and contractors. Similarly, this guideline also applies to all students who handle Confidential data directly related to their research. 

III. Rationale

Certain data handled by academic, operational or research departments must meet information security and data integrity requirements throughout its lifecycle in order to meet federal, state or UT regulations. Consequently, it is the fiduciary responsibility of all users to make conscientious decisions about how University Data is protected and made available to the Institution when required. In particular, it is the responsibility of the various academic, administrative and research unit heads to implement IT security standards and controls to ensure the confidentiality, integrity and availability of University Data.

Whereas some units may be completely self-sufficient to meet IT security requirements, most choose to outsource a significant portion of IT security responsibility to UT Arlington’s Office of Information Technology (OIT) or to other third party (cloud) providers. OIT is responsible for providing sanctioned centralized services that conform to UT Arlington’s information security program.

IV. General Requirements and Responsiblities

1. Consistent with UT System policy, collecting and storing SSN’s should be avoided. If storage or handling of SSNs is approved (by executive managmeent or IRB protocol), access must be restricted, user authentication always required and data only accessed on a university owned encrypted computer.

2. It is the responsibility of all users (faculty, staff, researchers and students) to secure the data under their custodianship following best practices for physical and information technology security, as well as conform to all policies and standards established by UTA and UT System, and to follow regulations established by the State of Texas and federal government.

3. All users and collaborators must be aware of where confidential/sensitive information might be downloaded and stored (for example, a web browser accessing box.com may cache or store downloaded sensitive data on a shared and non-university owned encrypted computer).

4. In situations where multiple collaborators require access to a shared resource, the Department Head or Faculty Advisor/Principal Investigator must maintain control of the data.

5. Each department head or researcher must ensure that the final disposition of the data meets records retention rules, and should ensure provisions are in place to ensure access to the data in the event of a disasters or for any other time-sensitive legal or institutional reason. Data must be securely disposed. For example use a micro or cross cut shredder for paper, floppy disks or CDs, or degausser or multipass secure disk wiping software for hard drives. 

V. Data Classification and Regulated Data

1. UTA has established a Data Classification Standard for which minimum standards have been created for securing data. 

2. Regulated data such as those covered by Export Control or invovling Human Subjects must be reviewed by Research Administration. Human Subject data falls into three categories for which appropriate security measures must be taken:

(a)  Unidentifiable/Anonymous: Information obtained will be recorded in such a manner that subjects’ identity cannot readily be ascertained, either directly or indirectly through identifiers linked to the subjects (note: research involving a coding mechanism that links to identifiable data does not fit under this option). This maps to "Controlled" data in UTA's data classification standard. 

(b)  Non-Sensitive: Any disclosure of the subjects’ responses outside the research would not reasonably place them at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation. This maps to "Controlled" data in UTA's data classification standard. 

(c)  Identifiable + Sensitive, with Privacy/Confidentiality Plan:  Information obtained will be recorded by the investigator in such a manner that the subjects’ identity can readily be ascertained, either directly or indirectly through identifiers (such as coding) linked to the subjects, and the data collected/subjects’ responses may be sensitive in nature. This maps to "Confidential" data in UTA's data classification standard. 

3. Appropriate use, sharing or handling of regulated data covered under privacy laws (such as FERPA or HIPAA) must be reviewed by the Office of University Compliance and Legal Affairs.

4. Contact the Information Security Office (security@uta.edu) for advice on controls and best practices related to research, business or instruction.

VI. Sanctioned Services and Locations

A. Cloud Storage Services

Resource Name UTA Contract Centrally Supported For Employee Use For Student Use For External Collaboration Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

UTA Box
(uta.box.com)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Limited
Ask ISO

Yes

No

Yes

No

UTA O365 OneDrive

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

Dropbox

Not sanctioned for institutional use - No UTA Contract

No

No

No

No

No

Google Drive

Not sanctioned for institutional use - No UTA Contract

No

No

No

No

No

iCloud

Not sanctioned for institutional use - No UTA Contract

No

No

No

No

No

Elsevier Mendeley

Not sanctioned for institutional use - No UTA Contract

No

No

No

No

No

IMPORTANT: 

UTA does not have contracts for storing UTA data on other cloud storage vendors like Dropbox, Google Drive and iCloud, and therefore employees can only use them for Published data or for non-UTA business. Students may use these services for academic, research and personal use.

O365 OneDrive

OneDrive is currently available to employees and students. Ensure that OIT has implemented security settings for your onedrive to ensure that inadvertant sharing of data does not occur. 

UTA Box

UTA Box can be used for both internal and external collaboration, and can be used by faculty, staff and students. To request access, please contact the OIT Help Desk.

UTA Box Feature Include:

  1. NetID authentication.
  2. Data encryption at rest and transmission.
  3. Access control.
  4. Version history.
  5. Collaboration amoung students, faculty, staff and external collaborators.
  6. Unlimited storage space (upon request)

Important UTA Box Restrictons
Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions.

  1. uta.box.com should be used as secondary storage and should not be considered a replacement for personal (J:) and departmental (K:) drives, where primary copies should exist. Employees should be aware that uta.box.com is an enterprise service that is distinct from consumer www.box.com (the latter can be used for non-UT Arlington business but never used to store UT Arlington confidential or controlled data.
  2. Box Sync tool must never be used for Confidential or Controlled data on a non-UT Arlington computer that does not have full disk encryption and access control enabled to prevent unauthorized individuals (including family or friends) from accessing the data.
  3. When sharing Confidential or Controlled data, it is important to ensure folders are password protected or have appropriate access control to prevent accidental data compromise or leak. Special caution must be taken when handling identified human subject data.
  4. External collaboration involving confidential UT Arlington data should, where possible, be through sponsored NetID. At minimum shared folders must at all times be under the control of a UTA employee where UT System ownership of the data can be asserted.

B. Cloud Based Survey Tools

Resource Name UTA Contract Centrally Supported For Employee Use For Student Use For FTE External Collaboration Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

Qualtrics
(uta.qualtrics.com)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Ask ISO

Yes

No

Yes

No

Survey Monkey

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

IMPORTANT: Qualtrics is currently the approved institutional survey tool; UTA does not have contracts for collecting and storing data on other survey tools. While the collection and storage of identified human subject data is permitted, collecting and storing SSN's is not permitted without first consulting the Information Security Office. When possible, data should be removed from Qualtrics and stored on an encrypted UTA computer.

C. Computers and External Drives

Resource Name

Meets
UTA Standards
Centrally Supported For Employee Use For Student Use For Employee External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

UTA owned computer that is encrypted and has OIT standard image

Yes

Yes

Yes

Ask Dept.

Ask ISO

Yes

Yes

Yes

Yes

No

Yes

Per TCP

UTA owned ISO approved external drives that are hardware encrypted

Yes

Ask Dept

Yes

Ask Dept.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Per TCP

UTA owned computer that is not encrypted (with encryption exception)

No

Ask Dept

No

Ask Dept

No

Yes

Ask ISO

No

No

No

Unidentifiable or non sensitive

No

UTA owned external drives that are not encrypted

No

No

No

Yes

No

Yes

Ask ISO

No

No

No

Unidentifiable or non sensitive

No

Non-UTA owned computers or external drives that are not encrypted

No

No

No

Yes

No

Yes

No

No

No

No

Unidentifiable or non sensitive

No

A. General
All computers (desktop, laptop and mobile devices), as well as portable devices (external hard drives, CD's, thumbdrives) containing confidential information, must be encrypted following the instutions standards. Where possible, all data must be stored on central storage (K: or J: drives).

B. Features
Security related features for encrypted computers include:

  1. Protected by University firewall, if accessed from on campus.
  2. NetID authentication in addition to Active Directory permissions is used for controlling access to laptops and desktops..
  3. University owned computers are eligible to run CrashPlan for backups.

C. *Restrictons
Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions.

  1. Encrypted devices be used for most regulated data including FERPA, HIPAA (patient records), ITAR (export control) or IRB (identifiable human subject) covered data or other highly sensitive data such as social security numbers; however additonal controls may be required such as restricted computer access and physical security (cable locks, locked room, etc.)
  2. Approved encryption methods must be used.

D. Centrally Provided Network Drives

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

homefs.uta.edu (Individual J: )

Yes

Yes

Yes

Yes

No

Yes

Yes

Ask ISO

Yes

No

Yes

No

kdrivefs.uta.edu (Department K: )

Yes

Yes

Yes

No

No

Yes

Yes

Ask ISO

Yes

No

Unidentifiable or non sensitive

No

researchfs.uta.edu (Research)

Yes

Yes

Yes

Ask ISO

No

Yes

Yes

Ask ISO

Yes

No

Yes

Per TCP

A. General
OIT provided network storage is the primary location for all University Data that does not exist in a primary system of record. Primary systems of record include MyMav (Student Information System), UT Share (Human Capital Management, Financial Management System), as well as supporting systems such as MS Exchange, Blackboard and ImageNow. Additional notes:

  1. Individual (J:) network drives are automatically provisioned for employees and students.
  2. Department (K:) network drives are provisioned primarily for employees only at the request of the department head. Purpose built network drives can be provisioned at the request of the department head. The department head or data owner is required to contact OIT to verify that appropriate restrictions are in place and to review access lists.
  3. Students who work for the Institution are considered employees and may be granted access to department folders at the discretion of the department head.
  4. Department heads may request network drives for academic or student use these drives are not permanent and may be destroyed after a mutually predetermined period.
  5. ResearchFS is specially provisioned for researchers with regulated data and can be used for storing large data sets. Access to ResarchFS must be approved by the Office of Resarch Administration and the Information Security Office.

B. Features
Security related features include:

  1. Protected by University firewall.
  2. NetID authentication in addition to Active Directory permissions is used for controlling access to drives.
  3. Network Drives are routinely backed up by OIT.

C. *Restrictons
Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions.

  1. General purpose department network drives should not be used for storing any regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identifiable human subject) covered data or other highly sensitive data such as social security numbers, unless every individual is authorized to access such data. Instead, restricted network shares or folders with a defined access control list must be requested from OIT.
  2. VPN and two factor authentication (ie NetIDPlus) must be used when accessing network drives from off campus locations.

E. Centrally Provided E-Mail and Calendar Systems

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

exchange.uta.edu

Yes

Yes

Yes

No

Yes

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

UTA O365

Yes

Yes

No

Yes

Yes

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

Google Gmail

Not sanctioned for institutional use - No UTA Contract

Yes

No

No

No

No

No

No

A. General
OIT provided email servers are the only approved systems for email services related to university business, instruction and research.

  1. NetID authentication is used for controlling access exchange mailbox.
  2. Students who work for the Institution are considered employees and may be granted access to Exchange accounts at the discretion of the department head.
  3. O365 does not depend on NetID authentication – access may persist beyond a student’s enrollment at UTA.
  4. Resources required for student use need to be approved by a department head or organization advisor.

B. Features
Security related features for Exchange include:

  1. Protected by University firewall.
  2. NetID authentication in addition to Active Directory permissions is used for controlling access to Exchange accounts.
  3. Email on Excahnge are routinely backed up by OIT.

C. *Restrictons
Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions.

  1. Email must not be used for most regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identifiable human subject) covered data or other highly sensitive data such as social security numbers.

F. Centrally Provided Content Management, Learning Managment and Collaboration

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

www.uta.edu

Yes

Yes

Yes

No

No

Yes

No

No

No

No

No

No

blog.uta.edu

Yes

Yes

Yes

No

No

Yes

No

No

No

No

No

No

sharepoint.uta.edu

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

blackboard.uta.edu

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

wweb.uta.edu

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

mavspace.uta.edu

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

wiki.uta.edu

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

A. General

  1. External collaboration will be through public facing websites. Ability to modify and update content by an external collaborator will require a sponsored NetID
  2. NetID authentication is used for controlling access to content or providing the ability to edit and publish public facing content.
  3. Students who work for the Institution are considered employees and may be granted access to department resources at the discretion of the department head.
  4. Resources required for student use need to be approved by a department head or organization advisor.

B. Features
Security related features include:

  1. Protected by University firewall.
  2. NetID authentication is available on certain tools like sharepoint to protect access to data.
  3. These tooks are backed up by OIT.

C. *Restrictons
Always consult the Information Security Office before storing regulated data.

  1. Regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers should never be stored unless every individual is authorized to access such data. 
  2. VPN and two factor authentication (ie NetIDPlus) must be used when accessing network drives from off campus locations.
  3. These services are available from the internet and special caution must be made to ensure non-public data is controlled.

G. Centrally Provided Academic and Research Systems

Resource Name UTA Hosted Centrally Supported For Employee Use For Student Use For FTE External
 Collaboration
Published Data
Controlled
Data
*Confidential
Data
*SSNs FERPA PCI / GLBA *Human Subject / IRB *ITAR

omega.uta.edu
(Academic/Instruction)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

gamma.uta.edu
(Academic/Instruction)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

teach-1.uta.edu

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

hpcroot.uta.edu
(high performance computing)

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes

No

Unidentifiable or
non sensitive

No

researchfs.uta.edu
(regulated storage)

Yes

Yes

Yes

Yes

No

Yes

Yes

Ask ISO

Yes

No

Yes

Per TCP

A. General

  1. These are linux based general computing servers.
  2. External collaboration will be through a sponsored NetID 
  3. NetID authentication is used for controlling access to content.
  4. Students who work for the institution are considered employees and may be granted access to non-student resources at the discretion of the department head or sponsor.
  5. ResearchFS is specially provisioned for researchers with regulated data and can be used for storing large data sets. Access to ResarchFS must be approved by the Office of Resarch Administration and the Information Security Office.

B. Features
Security related features include:

  1. Protected by University firewall.
  2. NetID authentication is available on certain tools like sharepoint to protect access to data.
  3. These servers are backed up by OIT.

C. *Restrictons
Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions.

  1. Regulated data including PCI (credit card), HIPAA (patient records), ITAR (export control) or IRB (identified human subject) covered data or other highly sensitive data such as social security numbers should never be stored unless every individual is authorized to access such data. 
  2. VPN and two factor authentication (ie NetIDPlus) must be used when accessing network drives from off campus locations.
  3. Some of these services are available from the internet and special caution must be made to ensure non-public data has appropriate access controll implemented.

VII. Updates and Modifications to this Guideline

This document will be modified as necessary to address changes in technology, processes and identified risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of University data. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.