Image
Version 1.3
Author
Duke University IT Security Office (ITSO)
Duke Health Information Security Office (ISO)
Authority
Duke University Chief Information Security Officer
Duke Health Chief Information Security Officer
Determining the Nature of the Data
Questions to Consider
Are you storing Sensitive data elements (for example, ePHI, Social Security Numbers, DMCA, PCI DSS or FERPA data)?
Important
See the Duke Data Classification Standard for the definitions of Sensitive, Restricted, and Public data.
Use of Duke Services
Selecting a Duke Service Depending on Data Classification
The following chart outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted and Public data. (Staff can also use the SecureIT decision tree tool.) Duke faculty, students and staff should be aware that there may be institutional, legal, regulatory and contractual obligations that require the use of specific storage options. For example:
- ITAR and PCI-related data always require Security Office consultation before use.
- FERPA: Consult with the Registrar’s Office.
- FISMA and Veterans Administration: PACE is required storage. REDCap is not allowed.
- Social Security Numbers: Collection requires an institutional exception.
- GDPR: Consult with the Privacy Office for allowable options.
- Duke Health non-consented clinical research data: PACE is required storage.
All users of the solutions and services that store Duke data must adhere to the following:
- Use only for the approved intended use.
- Store only the information you need or plan to use.
- Provide access only to authorized or approved individuals; remove access immediately when no longer need.
- Do not provide public or broad access to data without institutional approval
- Retain data only as long as it is needed, or in accordance with Duke retention requirements.
Duke University
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
|
Duke OIT CIFS/NFS Home Drive Service |
| ||
| Duke University Protected Network Duke University Protected Research Data Network (PRDN) |
Image
| ||
| Duke Compute Cluster |
Image
| ||
| Duke University Sharepoint | |||
| Duke University Tableau Instance | |||
| Duke DOCR REDCap | |||
| Duke's Wiki |
Image
| ||
| Sites@Duke |
Image
|
Duke Health
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| DHTS Home Drive Service |
Image
| ||
| Duke Health Network Storage | |||
| Duke Health CITRIX VDI |
Image
| ||
| Duke Health Protected Analytics Compute Environment (PACE) |
Image
| ||
| Duke Health SharePoint | |||
| Duke Health Tableau Instance | |||
| Duke DOCR REDCap | |||
| Duke’s Wiki |
Image
| ||
| Sites@Duke |
Image
|
Use of Cloud Services
Selecting a Cloud Service Depending on Data Classification
The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted, and Public data.
Duke University
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| Duke's Box Service 1 |
Image
 |
Image
|
Image
|
| Duke's Qualtrics Service |
Image
|
Image
|
Image
|
| Duke's Microsoft OneDrive Service 1 |
Image
|
Image
|
Image
|
| Duke's Microsoft Teams 1, 2 |
Image
|
Image
|
Image
|
| Duke's Jabber |
Image
|
Image
|
Image
|
| Duke's Zoom 3 |
Image
|
Image
|
Image
|
| Duke's WebEx 3 |
Image
|
Image
| |
| Duke University Adobe Sign 4 | |||
| Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform) |
Image
|
Image
|
1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
Duke Health
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| Duke's Box Service 1 | |||
| Duke's Qualtrics Service | |||
| Duke's Microsoft OneDrive Service 1 | |||
| Duke's Microsoft Teams 1, 2 | |||
| Duke's Jabber | |||
| Duke's Zoom Telehealth 3 | |||
| Duke's WebEx 3 | |||
| Duke Health Adobe Sign 4 | |||
| Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform) |
Image
|
Image
|
1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
Duke University
Use of Duke Services
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| Duke OIT CIFS/NFS Home Drive Service |
Image
|
Image
|
Image
|
| Duke OIT & Departmental File Shares |
Image
|
Image
|
Image
|
| Duke University Protected Network |
Image
|
Image
|
Image
|
| Duke University Protected Research Data Network (PRDN) |
Image
|
Image
|
Image
|
| Duke Compute Cluster |
Image
|
Image
|
Image
|
| Duke University Sharepoint |
Image
|
Image
|
Image
|
| Duke University Tableau Instance |
Image
|
Image
|
Image
|
| Duke DOCR REDCap |
Image
|
Image
|
Image
|
| Duke's Wiki |
Image
|
Image
| |
| Sites@Duke |
Image
|
Use of CLoud Services
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| Duke's Box Service 1 | |||
| Duke's Qualtrics Service | |||
| Duke's Microsoft OneDrive Service 1 | |||
| Duke's Microsoft Teams 1, 2 | |||
| Duke's Jabber | |||
| Duke's Zoom 3 | |||
| Duke's WebEx 3 | |||
| Duke University Adobe Sign 4 | |||
| Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform) |
Image
|
Image
|
1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
Duke Health
Use of Duke Services
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| DHTS Home Drive Service |
Image
|
Image
|
Image
|
| Duke Health Network Storage |
Image
|
Image
|
Image
|
| Duke Health CITRIX VDI |
Image
|
Image
|
Image
|
| Duke Health Protected Analytics Compute Environment (PACE) |
Image
|
Image
|
Image
|
| Duke Health SharePoint |
Image
|
Image
|
Image
|
| Duke Health Tableau Instance |
Image
|
Image
|
Image
|
| Duke DOCR REDCap |
Image
|
Image
|
Image
|
| Duke’s Wiki |
Image
|
Image
|
Image
|
| Sites@Duke |
Image
|
Use of Cloud Services
| Service | Public Data | Restricted Data | Sensitive Data |
|---|---|---|---|
| Duke's Box Service 1 | |||
| Duke's Qualtrics Service | |||
| Duke's Microsoft OneDrive Service 1 | |||
| Duke's Microsoft Teams 1,2 | |||
| Duke's Jabber | |||
| Duke's Zoom Telehealth 3 | |||
| Duke's WebEx 3 | |||
| Duke Health Adobe Sign 4 | |||
| Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform) |
Image
|
Image
|
1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.