This page uses javascript to help render elements, if you have problems please enable javascript.
 
Skip to main content
 
 
 
 
 
 
 
You are now inside the main content area
 
 
 
left col

Cyber Safety

Secure Data Storage and Transfer

Protect What Matters: Classifying and Securing CSUF’s Sensitive Information

right col
 
left col
right col
 
left col

Sensitive Data Storage Best Practices

As an employee of California State University Fullerton, you are responsible for all university data that is sent, stored, or shared on all personal or university-owned devices that you use. Part of this responsibility includes choosing appropriate technology to manage and store the data, some of which may be confidential or restricted.
We have multiple options for data storage from University servers to cloud-based services but not all options are appropriate for all types of data. To help you choose the proper solutions for your university data, we've developed a matrix that outlines what can be stored where.

At CSUF, safeguarding sensitive data is a top priority. The CSU Information Security Data Classification Standard defines how data should be categorized and protected based on its sensitivity and potential impact if exposed. This classification helps guide decisions about where data can be stored, who can access it, and what security measures must be in place.

 

Important: CSUF data must never be stored in personal consumer accounts such as Gmail (e.g., jdoe@gmail.com), Dropbox, or other non-CSUF-managed platforms.

 

Data Classification Levels

CSUF follows the CSU system-wide classification model, which includes three levels of data sensitivity:

 

Protected Level 1 (PL-1) - Confidential

This data requires the highest level of protection due to legal, regulatory, or contractual obligations. Unauthorized access could result in significant harm to individuals or the university.

Examples include:

  • HIPAA: Electronic Personal Health Information (ePHI), health insurance data
  • PII: Name combined with SSN, passport number, visa details
  • GLBA: Name with financial records, bank account details, tax returns
  • PCI-DSS: Credit card numbers, payment card data, bank routing numbers
  • Law Enforcement Records: Name with driver’s license, criminal background
  • Access Credentials: Passwords or credentials that grant access to PL-1 or PL-2 data

 

Protected Level 2 (PL-2) - Internal Use

This data is intended for internal university use and is not publicly available. Unauthorized disclosure could cause moderate harm or violate university policies.

Examples include:

  • FERPA: Student records such as grades, schedules, advising notes, disciplinary actions
  • Campus Financials: Budget data, internal financial reports
  • Legal Communications: Attorney-client privileged information
  • Employee Information: Name with home address, personal email, marital status, evaluations, personnel actions

 

Protected Level 2 (PL-2) - Internal Use

This data is intended for public release or is designated as publicly available. It poses minimal risk if disclosed.

Examples include:

  • Public-facing web content
  • Published research
  • Marketing materials
  • Directory information (as defined by FERPA)
     

 

right col
 
 
 
left col
right col