Data Security Quick Guide

Level I (Confidential)

Level I data is the most sensitive data we handle, which can cause potentially severe damage to the CSU, its students, its employees, or its customers if breached.

Examples of Level I data*:

  • Username or email address, in combination with a password or security question/answer that would permit access to an online account
  • Birth date combined with the last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national/ international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • PINs (Personal Identification Numbers)
  • Medical records related to an individual (also including information about disabilities, limitations, injuries, and health insurance information)

* This list is incomplete and describes the most common examples. See below for additional resources.

How to protect Level I data:

  • Never send through email
  • Never store in Google Drive
  • Never store on any other unapproved cloud service such as Dropbox
  • Never store on the SSU-beta file server (check with the IT Help Desk for more info)
  • Never store on an unencrypted flash drive or external drive
  • Must be encrypted when transported over the network, and should be encrypted whenever possible during storage
  • Must only be stored or accessed using University owned and managed equipment
  • Must be accessed using multifactor authentication
  • May only be accessed by users with a legitimate business use for the data

Level I data may be:

  • Stored on drives with full disk encryption, including flash drives
  • Stored in OnBase
  • Transmitted using MoveIt Transfer
  • Stored on the SSU-Alpha fileserver (check with the IT Help Desk for more info)

Level II (Internal User)

Level II data must be protected due to proprietary, ethical, contractual, or privacy considerations.

Examples of Level II data*:

  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Photo (taken for identification purposes)
  • Student Information-Educational Records not defined as “directory” information, typically:
    • Grades
    • Courses taken
    • Schedule
    • Test Scores
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Student photo
  • Library circulation information

* This list is incomplete and describes the most common examples. See below for additional resources.

Level II data may be:

  • Only accessed by users with a legitimate business use for the data
  • Sent through email
  • Stored in Google Drive
  • Stored on the SSU-beta or SSU-alpha file servers 
  • Stored on an unencrypted flash drive or external drive
  • Stored on drives with full disk encryption, including flash drives
  • Stored in OnBase
  • Transmitted using MoveIt Transfer

Level III (General)

Level III (General) data may be shared publicly, if the University chooses to do so.

Resources for additional information regarding ALL Level data: