Restricted data should neither be stored on nor sent to, from or through any external service provider (ESP) unless one of the two following conditions has been met:
- the University has a contract with the ESP that specifically addresses such use of sensitive data1, or
- encryption methods that meet the requirements of the University of Chicago Statement on Minimum Encryption Standards are implemented to protect this data.
Restricted data is defined in the Data Classification Guideline.
Definition of External Service Provider
An external service provider (ESP) is any Internet based service not sourced from the University of Chicago network. Examples of this are:
- Consumer email services such as Yahoo!, live.com, or Google mail (outside of the University’s Google domain)
- Internet Service Providers such as Comcast and AT&T
- Web hosting and Web application providers, such as Amazon’s S3 or Google Apps (outside of the University’s Google domain)
- Services provided by other universities
- Application Service Providers, such as GEAC, Workbrain, or eBiz
Some people who have University email accounts also maintain private email accounts, in some cases forwarding messages sent to their University accounts to their private accounts. While it is recognized that it may be an inconvenience, it is important that University employees not forward messages pertaining to University business and containing sensitive data to accounts not managed by the University. Doing so may have significant legal consequences for both the University and the individual.
ONLINE DATA STORAGE
There are now several companies that offer an individual the ability to store their data and access it from “anywhere”, meaning your phone, PDA, laptop or desktop, no matter where these devices happen to be at any given time. Examples of such services are Apple’s MobileMe (formerly .Mac) and Pro SoftNet’s iDrive. Unless the University has specifically contracted for the use of one of these services and the contract specifically addresses storing, retrieving and deleting of sensitive data, these services should not be used for any machine that may be used for the storage, transmission or retrieval of sensitive data.
The use of Web applications is a quickly growing phenomenon and companies such as Google are currently offering tools and applications to serve a variety of needs, including collaboration, calendaring and messaging. Unless the University has specifically contracted for the use of one of these services and the contract specifically addresses storing, retrieving and deleting of sensitive data, these applications should not be used for University business where sensitive data may be involved.
If you have any questions about this policy or how it may apply to your usage please contact IT Security at email@example.com or 773.702.2378.