March 25, 2022 Update: The “Data Scopes, Categories and Elements” section provides help for how to classify IT Configuration Items (CIs).
May 9, 2021 Update: This page is a major revision and reflects updates to the REG 08.00.03 Data Management Regulation, which describes the scope, general and personal use, regulatory and institutional obligations, and consequences for violating what constitutes the acceptable use of Information Technology (IT) resources at North Carolina State University (hereinafter referred to as “university” or NC State).
NOTE: The REG 08.00.03 Data Management Regulation and this page will be continuously improved throughout FY2021-22, and its significant updates will be announced here.
The NC State Data Management Framework (DMF) serves the following purposes:
- Helps clarify the REG 08.00.03 Data Management Regulation so that all university data users can maintain full compliance at all times. Protecting university data from theft, compromise, and inappropriate use requires all data users to be fully compliant with REG 08.00.03.
- Provides the information to help all university data users safeguard data throughout all phases of the data life cycle (collection or creation, use and modification, storage, and finally destruction) while providing all university data users with the ability to carry out their work as securely as necessary.
CAUTION: Remember — every time you store or share sensitive data, it’s your responsibility to fully comply with the NC State DMF guidelines provided on this page.
How Do I Keep My Data Safe?
Keeping your data safe isn’t a one-size-fits-all solution.
To help communicate the types of data we have at NC State, and how to keep each type of data safe, the university created the NC State Data Management Framework (DMF). Within this framework or set of systemic rules, university data is classified based on level of risk. Once you know what classification level your data is, you can learn how to safely store and protect it.
If You Don’t Need It…
As you read through the DMF guidelines, you will realize it is always a best practice to collect and store only the data that is absolutely necessary to support business processes and activities that support the university mission. For example, if you don’t need social security numbers, date of birth, or any particular type of sensitive data, do not collect or store them.
Governance is the framework of processes and structures specifying who makes decisions, how decisions are implemented, who is held responsible, and more.
To manage university data use and ensure accuracy, privacy, security, compliance, and more, the following entities comprise the established data governance structure for the university:
- Data Governance Steering Committee — Serves as the advisory body for the university and helps set data policy and strategy, supports alignment with university-wide strategic plans for data management, and resolves issues related to data use and exchange across the university.
- Data Governance Working Group — Helps facilitate the implementation of data policy, develops unified data definitions and common use standards, and manages processes to support the campus mission and goals.
- NC State Cybersecurity Program — Addresses cybersecurity threats such as phishing attacks, which not only attempt to steal NC State’s data and interrupt its business processes but also threaten the university’s ability to deliver core functions of teaching, research, and outreach. Cybercriminals and hackers are organized in their efforts to penetrate campus defenses, by many measures.
The distributed nature of the university data environment adds more complexities to the fight against cyber attacks. In addition, NC State has a myriad of external compliance mandates that dictate the security controls that must be implemented to protect all types of data.
The NC State Information Security Program provides oversight and guidance for the security of the university’s systems and data in a manner consistent with industry best practices and NC State’s compliance obligations. The DMF serves as one of the many pieces of the NC State cybersecurity program.
To learn more, visit Information Security Program at NC State.
The Chancellor is the primary authority for data governance at NC State. To support consistency across the university, data trustees, data stewards, data managers, and data custodians are delegated or assigned responsibility for the management of all university data. All of their decisions must be made in the interest of the university’s mission and goals.
Data users comprise the superset of everyone who accesses, modifies, or stores university data; this includes data trustees, data stewards, data managers, and data custodians. Every data user plays a critical role in ensuring the protection of university data and must comply with all IT policies, regulations, and rules as a condition for being granted access to university data.
Data users include but are not limited to the following categories:
- Employees and students
- Contractors and vendors
- Visiting scientists and scholars
- Partners and stakeholders
Data trustees are designated as the oversight authority with responsibility for the university data related to the university functions managed and administered by the units and personnel who report to them. Each data trustee assigns one or more data stewards with responsibility for all university data elements managed within the data trustee’s authority and area of responsibility.
NC State data trustees are as follows
- Executive Vice Chancellor and Provost
- Vice Chancellor for Finance and Administration
- Vice Chancellor and Dean for the Division of Academic and Student Affairs
- Vice Chancellor for University Advancement
- Vice Chancellor for Research and Innovation
- Vice Chancellor and General Counsel
- Vice Chancellor for Information Technology
- Director of Athletics
- Vice Chancellor for External Affairs, Partnerships and Economic Development
- Vice Chancellor for Institutional Equity and Diversity
- Chief Communications Officer and Associate Vice Chancellor of University Communications
Data stewards are responsible and accountable for the confidentiality, integrity, and availability of university data within their business or mission.
Data steward responsibilities include:
- Ensuring that the proper levels of security and protection measures are implemented.
- Granting access and use of data within the categories assigned to them.
- Determining classification levels for university data — basing classification levels on risk levels — that is, the level of impact that the data loss or unauthorized disclosure would have on NC State.
- Factoring in the following risk types for determining data classification levels: strategic, reputational, financial, operational, compliance, and hazards.
Data stewards assign specific data management responsibilities to data managers because of their knowledge and positions at the operational level.
Data Manager responsibilities include:
- Managing access rights to the data they oversee
- Delegating specific custodial responsibilities for each data subset within their area of authority
Data managers may include:
- IT directors
- Other program directors
- Team leads
- Support staff and administrators
Data custodians are responsible for verifying that all operational requirements are met by the current data security controls configuration of a particular university data environment, system, application, software, or tool. In coordination with the data managers, data custodians ensure that all data protection controls required as part of the DMF are planned, implemented, supported, and tested.
Data custodians may include:
- IT support staff
- Systems administrators
- Database administrators
- Security administrators
The NC State DMF classifies data into the following levels, each of which has unique cybersecurity requirements as defined in REG 08.00.03, Data Management Regulation:
- Ultra-sensitive (purple)
- Highly sensitive (red)
- Moderately sensitive (yellow)
- Not sensitive (green)
Endpoints versus IT Infrastructure
The cybersecurity controls vary depending on whether they are for endpoints such as desktops, laptops, smartphones, tablets and so forth — or IT infrastructure such as multi-user applications, servers, storage platforms, and other multi-user systems.
To learn more, see the following NC State rules:
- RUL 08.00.18 – Endpoint Protection Standard — for endpoints such as desktops, laptops, smartphones, tablets, and so forth:
- For university-owned endpoints, see Table 1.
- For endpoints not owned by the university (such as personally owned devices), see Tables 2 and 3.
- RUL 08.00.16 – NC State University Security Standards for Sensitive Data and System — for IT infrastructure such as multi-user applications, servers, storage platforms, and other multi-user systems
Data Classification DescriptionsWhen determining data classification levels, the university must factor in the following risk types: strategic, reputational, financial, operational, compliance and hazard.
Ultra-sensitive or Purple Data
Ultra-sensitive data includes data where unauthorized disclosure or loss poses the highest risk or impact to the university or its affiliates or where specific data categories require special privileged access management. Examples include social security numbers, passwords, encryption keys, and biometrics (such as fingerprints and iris scans).
Additional access and handling requirements are required for Ultra-sensitive data because it may be impossible to repair damage caused by its unauthorized disclosure.
Highly Sensitive or Red Data
Highly sensitive data includes data where unauthorized disclosure or loss poses a high risk or impact to the university or its affiliates. Examples include driver’s license, mother’s maiden name, passport, and immigration number.
Moderately Sensitive or Yellow Data
Moderately sensitive data includes data where unauthorized disclosure or loss poses a moderate to low risk or impact to the university or its affiliates. Examples include date of birth, race, gender, and transcripts.
Data that is created or collected within the university’s data environment without having been classified by the data stewards must be controlled at a minimum as moderately sensitive/yellow until final classification is assigned.
Not Sensitive or Green Data
Not Sensitive data includes data where unauthorized disclosure or loss poses a low risk or impact to the university or its affiliates. This information may be disclosed to individuals regardless of their university affiliation. Minimal security measures are needed to control the unauthorized modification, use, or destruction of this data.
Each individual’s or department’s data needs to be compartmentalized into the following hierarchy, from the top down, scope → category → element.
A data scope is the highest level of organized data managed by the university’s data trustees.
Examples of a data scope include: Personal, Student, Employee, Finance, Athletics, Advancement, Legal, Research, Environmental Health & Safety, and Public Safety.
A data category consists of more than a single data element (for example. a medical record typically contains a name, mailing address, age, and other components — possibly an ultra-sensitive element such as a social security number). The overarching data classification for the category will match the most sensitive element that it contains. Assigning the appropriate data classification level is typically the data steward’s responsibility, sometimes in consultation with others.
A data element consists of only one item of information (such as a name, mailing address, social security number and so forth). Most of the data elements used at the university are data fields that comprise a data element (for example, a form such as an I-9 or W-2) or system (such as an Excel database).
Remember — a large portion of university data may be in the form of public records that are created or received in connection with public university business activities as a state entity. Specific requirements related to storage, retention, destruction, and disclosure do apply to those records. Requirements apply regardless of the form of data, (films, audiotapes, photographs, computer files texts, email, and so forth).
To learn more about public records, visit the OGC site.
Data Security Awareness training is an annual requirement for all NC State employees and student workers that includes up-to-date tactics for counteracting and preventing current cybercriminals attacks as well as a high-level overview of the Data Management Framework.
Learn more at: Data Security Training.
Stay aware and armed at all times against cybersecurity threats by frequently checking in with the NC State Security Awareness website.
OIT Security and Compliance (OIT S&C) must assess the security of all IT purchases that access, store, or modify the university’s ultra-sensitive (purple) data or highly sensitive (red) data.
Such purchases may include software, web-based applications, Software as a Service (SaaS), cloud hosting, network and storage solutions, and any IT solution that costs $5,000 or more.
NOTE: Regardless of cost, OIT S&C must review all IT purchases intended for processing data that is purple, HIPAA, PCI, or ITAR.
Effective cybersecurity requires partnership and some integration of business, security, and technical layers across the institution to implement consistent standards and controls campuswide. As such, NC State University must respond to ongoing pressure from the overarching UNC System and external entities such as industry partners, government, and healthcare.
In response to such ongoing demands, the university is transitioning from IT security-centric to an all-encompassing cybersecurity approach to secure its data and assets.
The primary goal of each security assessment, as part of the initial purchasing and renewal processes, is to assure that all university data is protected.
For more details, visit IT Purchase Compliance.
NC State has many types of storage including but not limited to personal devices, university devices, managed storage, and departmental or local storage solutions. It is important to understand the security requirements for your data and its classification level in order to select the appropriate storage solution.
See the Data Storage Table for storage requirements based on classification level.
For more information on OIT storage solutions, visit Shared Services. To learn what is available within your department, consult your local IT group or contact email@example.com.
The disposition and disposal of data must be done in compliance with all legal, contractual, and university policies. Regulation 01.25.12 – University Record Retention and Disposition applies to all university personnel and covers all records, regardless of form, made or received, in connection with university business.
All physical data files or records containing moderately sensitive, highly sensitive, or ultra-sensitive data must be cross-shredded prior to disposal to prevent unauthorized access to sensitive university data.
Visit the following links for specific guidance on the proper disposal of digital data and equipment that contains university data:
NC State must meet its compliance obligations to many federal laws, state laws, and numerous industry and regulatory standards. Additionally, the UNC System Office has many requirements, internal policies, regulations and rules that obligate the university to maintain a data inventory.
Said obligations include but are not limited to:
- Federal and state laws:
- Federal Information Security Management Act (FISMA)
- Americans with Disabilities Act (ADA)
- Family Educational Rights and Privacy Act (FERPA)
- Freedom of Information Act
- Gramm Leach Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- NC ID Theft Protection Act
- NC Personnel Records Act
- U.S. Privacy Act
- Protection of Human Subjects
- Red Flags Rule
- Safeguards Rule
NOTE: The federal laws listed above originate from the U.S. Department of Defense (DoD), U.S. Department of Energy (DoE), National Institute of Health (NIH), National Science Foundation (NSF), and U.S. Department of Education (ED).
- Regulatory and Industry standards:
- UNC Systems Office requirements:
- NC State Policies, Regulations and Rules (PRRs):
- REG 11.00.01 – Family Educational Rights and Privacy (FERPA)
- REG 01.25.09 – Privacy/Confidentiality, Release and Security of Protected Health Information
- POL 08.00.01 Computer Use Policy and Regulation (REG 08.00.02)
- REG 08.00.03 – Data Management Regulation
- RUL 08.00.14 – System and Software Security Patching Standard
- RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems
- RUL 08.00.17 – Cybersecurity Incident Response Procedure
- RUL 08.00.18 – Endpoint Protection Standard
access (accessing data). View, retrieve, alter, or create data.
availability. Timely and reliable access to and use of information and resources.
certification. Authoritative act of verifying the accuracy and authenticity of an assertion or credential.
compliance risk. Risk of the potential effect on university compliance with laws and regulations, student, faculty, and staff safety, environmental issues, litigation, conflicts of interest, privacy, contractual obligations, or university regulations and policies. Severity could include additional oversight, audits, or assessments.
confidentiality. Preservation of authorized restrictions on information access and disclosure to only those who need it and are authorized.
data access. Ability, right, or permission to access data (including collection, access, storage, and disposition). This includes software, hardware, peripherals, audio, printed and digital materials.
data access guidelines. Methodology and processes prescribed to manage access to university data as approved by data stewards and developed by data managers and supporting data custodians.
data category. High-level data classification or type of university data that requires specific security or privacy considerations.
data custodians. University employees responsible for verifying that all operational requirements are met by the current data security controls configuration of a particular university data environment, system, application, software, or tool.
data disposition. Act of disposing or transferring the care or possession of university data.
data element Basic unit of information having a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.
data environment. Collection of computer systems and associated infrastructure devices, facilities, and people that support the storage, processing, or transmission of data supporting the university’s mission and business.
Data Management Framework (DMF). Set of rules; classification governance methodology for the management of university data allowing for the appropriate degree of protection to be applied consistently across the university based on identified threats, risks, and cybersecurity requirements.
data managers. Employees assigned specific data management responsibilities by data stewards because of their knowledge and position at the operational level.
data protection controls. Safeguards or countermeasures that are prescribed for protecting the confidentiality, integrity, and availability of university data.
data stewards. Employees responsible and accountable for the confidentiality, integrity, and availability of university data within their business or mission area.
data storage. Collective methods and technologies that capture and retain information.
data trustees Employees designated as oversight authority with responsibility for the university data related to the university functions managed and administered by the units or personnel who report to them.
endpoint. User computer or smart device used to access university data whether owned by the university or not. The term can refer to desktop computers, servers, laptops, smartphones, tablets, thin clients, printers or other specialized hardware such as Point of Sale terminals and smart meters.
financial risk. Risk of potential effect on the university due to loss or ability to acquire assets (for example, technology, donations, sales, funding, advancement activities) or costs associated with response and recovery of compromise, incident, or other events.
hazard risk. Risk of potential effect on university operations due to a man-made or natural event that could result in loss or damage to university assets including loss of confidentiality, integrity, and availability of resources (for example, sensitive and critical data, systems, equipment, and infrastructure).
impact. Magnitude of expected effects, disruption or consequences to the organization. The National Institute of Standards and Technology (NIST) impact scale measures impact as High, Moderate, and Low.
integrity. Protection of information from unauthorized modification or destruction, including information nonrepudiation and authenticity.
operational risk. Risk of potential effects on ongoing university management processes, or supporting procedures, to include effective and efficient use of university resources.
reputational risk. Risk of potential effects on the university’s reputation with stakeholders (for example, Board of Trustees, UNC System, state legislature, federal granting agencies, students, faculty, alumni, business partners, and state citizens).
sensitive data. Data that must be protected from unauthorized disclosure.
strategic risk. Risk of potential effects on the university that could prevent the university from meeting high-level university goals and objectives that align with or support the mission of the university.
store (data). Retrievable retention of data; entering data into or retaining data from electronic, electrostatic, or electrical hardware or other elements such as media.
university data. All information related to the business and mission of NC State existing in any form (such as software, hardware, peripherals, audio, printed, or digital) whether owned by the university or used by the university under contract with an external provider where NC State has custodial responsibility.