Financial Cash Control
How is this data classified?
If you’d like to learn more about how data is classified, see our definitions of classifications.
Definition
Analysis and maintenance of data for disbursement, vendor, and bank activity used to track outstanding check register items after the six months stale date to attempt to locate and pay the payee or escheat the unclaimed property to the respective state government based on payee's last know address.
Storage Services
The following electronic dedicated file storage systems and IT services with storage components have been approved for the storage of this information:
EXAMPLES OF DATA
|
NEED HELP?Contact your data steward for help interpreting these results, or view the entire data classification matrix. |
IT Services with Storage Components
Data Use Guidelines
How to store your data
Do you really need to store it? Whenever possible, rather than creating another copy that will require special protections, access and view the information from its primary source.
Use Secure Shell (SSH), virtual private network (VPN), remote desktop, or other methods using strong cryptography to connect to the main storage location. Securely dispose of all critical information unless your task absolutely necessitates storing your own copy.
Use a secure storage location. All electronic storage systems approved for critical data can also be used for restricted, university-internal, or public data. However, such systems can be expensive to maintain and may include protections that make them less convenient to use.
Ask your department which storage service is professionally secured for critical information.
Never store critical information on your desktop, laptop, mobile device, USB drive, flash drive, or any media unless (a) the information is properly encrypted and (b) the senior executive officer of your unit has provided prior written approval confirming a critical business need to do so. See Mobile Device Security Standard IT-12.1 if you need to store this data on a mobile device such as a tablet or smart phone.
Ensure paper records are kept in locked file cabinets/storage rooms or are otherwise access-controlled. If you store paper records in shared locations, ensure that these records are not accessible to anyone else. (The IU Warehouse is no longer approved for storing university-internal, restricted or critical institutional data. A list of approved vendors is available on this website.)
Safeguards: Encrypt all inactive critical electronic data. For more ways to safeguard critical information, see the Knowlegde Base article Using computers and devices securely.
Retention: The potential for unauthorized disclosure increases with the length of time you retain information. Keep information, in any form, only as long as necessary. Federal and state law, and university practice, determine retention requirements. Consult with the office responsible for the information for current retention requirements, and monitor the University Records Management Schedules.
How to use your data in general
- Critical information is to be used only in conducting university business, and in ways consistent with furthering the university’s mission.
- Use critical information solely for the purpose for which it was collected.
- Never use information for personal gain or profit, the gain or profit of others, to satisfy curiosity, or to engage in academic, personal, or research misconduct.
- Immediately report any misuse of information to the appropriate authorities.
- Always log off or lock your workstation when you step away, even for a moment.
- Individual users are held accountable for their specific use of the data.
- Critical information may only be used by those whose positions explicitly require such access.
How to dispose of your data
All critical electronic and printed information assets must be disposed of securely. Secure electronic disposal means deleting information so that the data is not recoverable. Never discard or leave any critical information where it may be accessible to the public.
Deletion is not enough. Most methods of deleting files from hard drives only remove pointers to the actual file—the information, itself, remains. Most system and hard drive reformatting utilities do not remove the information, either.
If you are still actively using the hard drive and are deleting small amounts of critical information (such as a column of SSNs in an old spreadsheet), normal deletion methods are fine, if you empty the trash (or recycling) folder.
If you are disposing of a hard drive or any storage media, IU policy requires wiping or destroying it first.
Disk wiping utilities: For utilities that securely wipe hard drives/storage media, check with your computing support professional, or see: Securely wipe disk drives.
Hard drive destruction: Destroying the hard drive/storage media is most effective, according to the Disposal, Wiping, & Shredding" page.
Shredding Paper: A list of approved document destruction vendors is available on our Disposal, Wiping, & Shredding page.
How to share or send your data
Transferring files from computer to computer (and person to person) is a common occurrence. Perhaps you need to send a class roster spreadsheet to an office assistant or a document containing a grant proposal to a colleague at another university. In each of these cases, it's important to know what options are available to get your file from point A to point B using a method appropriate for the data being transferred.
Transmission by hand
Use reliable transport or couriers. See the Media Disposal Guide for a list of approved couriers. Verify the identity of couriers prior to providing info to them. Protect information from unauthorized disclosure or modification during transit (for example, use locked containers or tamper-evident packaging). Always require a signature from the recipient. Provide a full address for the recipient—not a P.O. Box. Keep your shipping documentation, including the tracking number. Follow up to ensure the information made it to the intended recipient.
Electronic transmission
Encrypt while in transit using Secure Share or Office Message Encryption (OME). If you cannot use an encrypted transit method, then encrypt the file itself prior to sending. When transmitting health information or payment card information, comply with PCI DSS or HIPAA as appropriate.
Websites must be secure and transmit information over a secure channel. For more information, see the Knowledge Base articles about vulnerability scanners and About secure websites and SSL/TLS certificates.
When used for research purposes, websites may need to comply with the Health Insurance Portability and Accountability Act (HIPAA), CFR part 11: Electronic Records/Signatures (for FDA related research), or the Federal Information Security Modernization Act (FISMA).
Learn about other methods of transferring data securely.
Notes About This Data
Outstanding items are escheated to state governments based on the last known address of payee and the respective state's statute regarding unclaimed property.
Laws and Regulations
Freedom of Information Act (FOIA)
Other US States and DC applicable unclaimed property laws
Storage Notes
[1] OnBase is not designed for files larger than 100 MB but is capable of handling them. If you have questions, contact the OnBase team.
[2] Secure Share files are automatically deleted 30 days after you upload them. If you have a question or need help with Secure Share contact your campus Support Center.
[3] Some services approved for storing data containing PHI are not approved for storing other institutional data classified as Critical. Consequently, some HIPAA-capable systems have "Restricted" listed as the most sensitive institutional data classification allowed, even though they're capable of storing PHI (which is classified as Critical). If you need help determining the most sensitive institutional data classification allowed on any UITS service, contact the University Information Policy Office (UIPO).
[4] For the most current pricing information, go to Rates and costs of UITS services.
[5] You can use storage on virtual machines as raw space or for file storage within an operating system. For service details, see Virtual Systems.
[6] You can purchase data protection services on a gigabyte-per-year basis and additional storage capacity on a per-gigabyte basis.
[7] For the most current pricing information, go to Rates and costs of UITS services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about "Intelligent Infrastructure Services". If you have a question or need help, contact UITS Storage and Virtualization.
[8] All visualization systems have local storage areas, but they are not backed up and are purged regularly. Before each working session, you must import all data and program files from a long-term storage medium, and transfer them back to long-term storage when you're finished. All visualization systems have USB support and are connected to the IU network, so you can use long-term storage media, such as USB (flash or magnetic) drives, and network-enabled storage services, such as the Scholarly Data Archive. If you have questions, contact the AVL.