Version 1.3

Author


Duke University IT Security Office (ITSO)

Duke Health Information Security Office (ISO)

Authority


Duke University Chief Information Security Officer

Duke Health Chief Information Security Officer

Determining the Nature of the Data


Questions to Consider

Are you storing Sensitive data elements (for example, ePHISocial Security NumbersDMCAPCI DSS or FERPA data)?

Important

See the Duke Data Classification Standard for the definitions of Sensitive, Restricted, and Public data.

Use of Duke Services


Selecting a Duke Service Depending on Data Classification

The following chart outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted and Public data. (Staff can also use the SecureIT decision tree tool.) Duke faculty, students and staff should be aware that there may be institutional, legal, regulatory and contractual obligations that require the use of specific storage options. For example:

All users of the solutions and services that store Duke data must adhere to the following:

  • Use only for the approved intended use.
  • Store only the information you need or plan to use.
  • Provide access only to authorized or approved individuals; remove access immediately when no longer need.
  • Do not provide public or broad access to data without institutional approval
  • Retain data only as long as it is needed, or in accordance with Duke retention requirements.

Duke University

Duke University: Selecting a Duke Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data

Duke OIT CIFS/NFS Home Drive Service
Duke OIT & Departmental File Shares

Image
No
Duke University Protected Network
Duke University Protected Research Data Network (PRDN)
Image
No
Duke Compute Cluster
Image
No
Duke University Sharepoint
Duke University Tableau Instance
Duke DOCR REDCap
Duke's Wiki
Image
No
Sites@Duke
Image
No

Duke Health

Duke Health: Selecting a Duke Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
DHTS Home Drive Service
Image
No
Duke Health Network Storage
Duke Health CITRIX VDI
Image
No
Duke Health Protected Analytics Compute Environment (PACE)
Image
No
Duke Health SharePoint
Duke Health Tableau Instance
Duke DOCR REDCap
Duke’s Wiki
Image
No
Sites@Duke
Image
No

 

Use of Cloud Services


Selecting a Cloud Service Depending on Data Classification

The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted, and Public data.

Duke University

Duke University: Selecting a Cloud Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
Duke's Box Service 1
Image
Yes
Image
Yes
Image
Yes
Duke's Qualtrics Service
Image
Yes
Image
Yes
Image
Yes
Duke's Microsoft OneDrive Service 1
Image
Yes
Image
Yes
Image
Yes
Duke's Microsoft Teams 1, 2
Image
Yes
Image
Yes
Image
Yes
Duke's Jabber
Image
Yes
Image
Yes
Image
Yes
Duke's Zoom 3 
Image
Yes
Image
Yes
Image
Yes
Duke's WebEx 3
Image
Yes
Image
Yes
Duke University Adobe Sign 4
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform)
Image
No
Image
No

1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365.  For additional details see: https://box.duke.edu/security-and-usage/

2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.

3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom. 

4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License RestrictionsNote: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.

 

Duke Health

Duke Health: Selecting a Cloud Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
Duke's Box Service 1
Duke's Qualtrics Service
Duke's Microsoft OneDrive Service 1
Duke's Microsoft Teams 1, 2
Duke's Jabber
Duke's Zoom Telehealth 3 
Duke's WebEx 3
Duke Health Adobe Sign 4
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform)
Image
No
Image
No

1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365.  For additional details see: https://box.duke.edu/security-and-usage/

2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.

3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom. 

4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License RestrictionsNote: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.

Duke University

Use of Duke Services

Duke University: Selecting a Duke Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
Duke OIT CIFS/NFS Home Drive Service
Image
Yes
Image
Yes
Image
No
Duke OIT & Departmental File Shares
Image
Yes
Image
Yes
Image
No
Duke University Protected Network
Image
No
Image
Yes
Image
Yes
Duke University Protected Research Data Network (PRDN)
Image
No
Image
Yes
Image
Yes
Duke Compute Cluster
Image
Yes
Image
Yes
Image
No
Duke University Sharepoint
Image
Yes
Image
Yes
Image
Yes
Duke University Tableau Instance
Image
Yes
Image
Yes
Image
Yes
Duke DOCR REDCap
Image
Yes
Image
Yes
Image
Yes
Duke's Wiki
Image
Yes
Image
No
Sites@Duke
Image
No

Use of CLoud Services

Duke University: Selecting a Cloud Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
Duke's Box Service 1
Duke's Qualtrics Service
Duke's Microsoft OneDrive Service 1
Duke's Microsoft Teams 1, 2
Duke's Jabber
Duke's Zoom 3 
Duke's WebEx 3
Duke University Adobe Sign 4
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform)
Image
No
Image
No

1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365.  For additional details see: https://box.duke.edu/security-and-usage/

2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.

3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom. 

4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License RestrictionsNote: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.

 

Duke Health

Use of Duke Services

Duke Health: Selecting a Duke Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
DHTS Home Drive Service
Image
Yes
Image
Yes
Image
No
Duke Health Network Storage
Image
Yes
Image
Yes
Image
Yes
Duke Health CITRIX VDI
Image
Yes
Image
Yes
Image
No
Duke Health Protected Analytics Compute Environment (PACE)
Image
No
Image
Yes
Image
Yes
Duke Health SharePoint
Image
Yes
Image
Yes
Image
Yes
Duke Health Tableau Instance
Image
Yes
Image
Yes
Image
Yes
Duke DOCR REDCap
Image
Yes
Image
Yes
Image
Yes
Duke’s Wiki
Image
Yes
Image
Yes
Image
No
Sites@Duke
Image
No

 

Use of Cloud Services

Duke Health: Selecting a Cloud Service Depending on Data Classification
ServicePublic DataRestricted DataSensitive Data
Duke's Box Service 1
Duke's Qualtrics Service
Duke's Microsoft OneDrive Service 1
Duke's Microsoft Teams 1,2
Duke's Jabber
Duke's Zoom Telehealth 3 
Duke's WebEx 3
Duke Health Adobe Sign 4
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform)
Image
No
Image
No

1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365.  For additional details see: https://box.duke.edu/security-and-usage/

2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.

3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom. 

4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License RestrictionsNote: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.