Skip to main content

Data is a critical asset of the university. It is the policy of the University of Central Florida to classify types of data in use at the university and to provide the appropriate levels of information security and protection.

University Data falls into three classifications: Highly Restricted Data, Restricted Data, and Unrestricted Data. UCF Policy 4-008 further details the classifications and the procedures for how to properly store, handle, and protect University Data. Below is a Data Classification Matrix, that illustrates where it is appropriate to store UCF Data electronically.

Please refer to UCF Policy 4-008 for full details and contact UCF InfoSec if you have any questions or concerns about how to protect University Data.

Data Classification Matrix

Data Classification Examples Approved Storage Additional Requirements
Highly Restricted
  • Government Identification Numbers
  • Financial Account Numbers
  • Credentials
    • Usernames & Passwords
  • Health Information
    • HIPAA
  • Payment Card Industry (PCI) Data
  • Federally Protected Data
    • Controlled Unclassified Information (CUI)
  • Protected University Employee Data
  • GLBA "Nonpublic Personal Information"
UCF sanctioned internet cloud data storage systems
  • OneDrive for Business
  • Microsoft Teams
  • DropBox Advanced
  • Must not be stored in personally-owned data storage accounts.
  • Access controls must be in place.
  • CUI data must be encrypted following DFARS standards.
  • File-level encryption recommended.
  • Protect with Multi-Factor Authentication.
University-provided email system
  • Must be encrypted before sending via email. It is recommended that passwords are sent through alternate lines of communication.
  • Though acceptable, this method is not preferred over the other methods listed here.
Secure UCF Server
  • Server must be intended for highly restricted data, and at a minimum meet relevant University Security Standards.
  • Employ full-disk encryption.
  • File-level encryption is required anytime data is exported, saved, or downloaded or copied from these systems.
UCF-Owned End User Devices
  • Laptops* and Desktops
  • Mobile Devices*

*When stored on these devices, the data must have file-level encryption with access protected by a strong password (in addition to the full disk encryption.)
  • Legitimate business reason required.
  • Must be a university-owned and managed device.
  • Full-Disk encryption required.
  • Access controls must be in place.
Restricted
  • Business Sensitive Data
  • Proprietary Intellectual Property
  • FERPA: Personally Identifiable Information (PII)
  • FERPA: Academic Records
  • FERPA: Other
    • Student Email Address
    • Student ID Photos
  • Network and Systems Data
    • UCF NID
    • IP Addresses and other system information
  • Other Data Protected by Law or Regulation
Any approved storage for Highly Restricted or Restricted Data
UCF-owned workstations or mobile devices
  • Must be protected by a strong password and use full disk encryption. File level encryption is recommended.
University-provided email system
  • May be sent to users who are within a university-provided email system (e.g., UCF Exchange, Knights email, Webcourses@UCF).
  • May be sent to authorized recipients who use external email systems if encrypted using Office 365 Email Encryption.
Unrestricted
  • Employee Data
    • Employee Names
    • Date of Hire
    • Rate of Pay
    • Title
    • Office Address
    • Phone Number
  • UCFID
  • FERPA: Directory Information
    • Note: Directory information can be released without consent, unless the student has opted to withold the release of their data.
Any storage approved for Restricted or Highly Restricted Data
Can be posted on any public website, blog, or other publicly-accessible Internet site.