Data Protection Guide

Throughout its lifecycle, all university data stored, processed or transmitted at the university must be protected in a manner that is consistent with contractual or legal restrictions and is reasonable and appropriate for its classification. 

When collecting, storing, sharing or disposing of university data, Faculty and Staff should only use systems, tools and technologies that have university approved contracts.  These contracts contain the required terms and conditions to protect the university data and the tools, systems and technologies have been configured with appropriate security and privacy protections.

Contact the Privacy Office  and/or GW IT ([email protected] or 202-994-4948) for further instructions.

Follow this Data Protection Guide to appropriately access, store, transmit or dispose of university data.

Data Protection Requirements

Data Category

Risk Level

Regulated

High Risk

Restricted

Medium Risk

Public

Low Risk

Network

All network traffic must be encrypted in transit using at least TLS v1.1.(TLS v1.2 is strongly encouraged). 

It’s always preferable to use the strongest cipher available when transmitting Regulated Information, especially when transmitting to a third party.

All network traffic must be encrypted in transit using at least TLS v1.1.(TLS v1.2 is strongly encouraged).

No limitations.       
Workstations or
Mobile Devices -
GW-owned or
approved

(Desktop, laptop, phone,
tablet)
Regulated data may be accessed and processed using GW owned or approved workstations or mobile devices (such devices are configured and managed by the university and must be encrypted).
The following security controls must be in place:
• Strong Password
• Encryption
• Remote wiping capability
• Registered and managed by the GW IT mobile device management service.
Restricted data may be be accessed and processed using GW owned or approved workstations or mobile devices (such devices are configured and managed by the university and must be encrypted).
The following security controls must be in place:
• Strong Password
• Encryption
• Remote wiping capability
• Registered and managed by the GW IT mobile device management service.
No limitations.
Personally Owned
Devices

(Desktop, laptop, phone,
tablet)

Regulated information may not be downloaded, stored or synchronized on personally owned workstations or mobile devices.

GW Storage systems approved for regulated information may be accessed but not installed.
Requirements for accessing regulated Information from personally owned workstations or mobile devices are:

  • Full Disk Encryption (FDE)
  • Use of VPN (Use the GW VPN when working remotely and accessing regulated data.)
  • Must be password protected
  • Anti-Virus / Anti-Spyware software must be active and maintained up to date
  • Updates for all installed software should be installed within a reasonable period
  • Firmware and driver updates should be installed within a reasonable period

Restricted information may not be downloaded, stored or synchronized on personally owned workstations or mobile devices.

GW Storage systems approved for restricted information may be accessed but not installed.
Requirements for accessing restricted information from personally owned workstations or mobile devices are:

  • Full Disk Encryption (FDE)
  • Use of VPN (Use the GW VPN when working remotely and accessing restricted data.)
  • Must be password protected
  • Anti-Virus / Anti-Spyware software must be active and maintained up to date
  • Updates for all installed software should be installed within a reasonable period
  • Firmware and driver updates should be installed within a reasonable period
No limitations
Storage

Regulated information may be stored only on GW IT hosted or approved servers or services (such as file sharing or collaboration services, cloud- based services, cloud-based back-up and recovery services, etc.)

Documents containing regulated data may be stored in the following GW systems:

  • GW Box
  • GW Documents (Documentum)

Regulated data in physical form (paper, media) should be secured (locked) at all times and
access should be restricted only to authorized users, with a legitimate business
need.

Restricted data may be stored on departmental, GW IT hosted or approved cloud-based systems.

Documents containing restricted Data may be stored in the following GW systems:

  • GW Box
  • GW Google Drive
  • GW SharePoint
  • GW MS Teams
  • GW Documents (Documentum)

Restricted data in physical form (paper, media) should be secured at all times and access should be restricted only to authorized users, with a legitimate business need.

No limitations
Access

Access to regulated data must be limited to only authorized individuals (staff, faculty), who have a legitimate reason to access it (on a business “need to know” basis).

Data Custodians are responsible for all access and permissions to regulated data in their custody. Data Custodians must:

  • Determine who needs access to the regulated data in their custody and what permission level needed for each individual.
  • Follow the Principle of Least Privilege: give individuals the lowest permission levels needed to perform their assigned tasks.
  • Periodically review access to the regulated data in their custody.

Access to restricted data must be limited to only authorized individuals (staff, faculty), who have a legitimate reason to access it.

Data Custodians are responsible for all access and permissions to restricted data in their custody. Data Custodians must:

  • Determine who needs access to the restricted data in their custody and what permission level needed for each individual.
  • Follow the Principle of Least Privilege: give individuals the lowest permission levels needed to perform their assigned tasks.
No limitations

Transmission

(Emailing)

Use only secure methods to transmit regulated information.

Do not include regulated information in the body of an email or as an attachment.

To transmit (email) regulated data to another university email address, use links instead of attachments. Store the regulated information in GW Box and email a link to the file.

Regulated data must be encrypted during transmission outside GW network. If there is a business need to email regulated data to non-university recipients, it must be encrypted. To activate encryption of your university email account, submit a GW email Encryption Access Request to GW IT.

Click here for additional guidance on sharing regulated information.

Emailing regulated information to or from a personal email address is strictly prohibited.

Use only secure methods to transmit restricted information.

To transmit (email) restricted data to another university email address, use links instead of attachments. Store the restricted information in one of the approved storage systems listed above, and email a link to the file.

Restricted data must be encrypted during transmission outside GW network. If there is a business need to email restricted data to non-university recipients, your email account must be encrypted. To activate encryption of your university email account, submit a GW email Encryption Access Request to GW IT.

Emailing restricted information to or from a personal email address is strictly prohibited.

No limitations
Reproduction

Avoid printing or copying regulated data.

The minimum necessary prints / copies may be made only by permission of originator or designates. Working copies (prints) containing regulated data should be secured at all times and permanently destroyed (shredded) when no longer needed.

Regulated data should never be printed or copied using a public (non-GW) device.

As a general rule, employees are not allowed to take regulated data in physical form off campus (or to make unofficial copies).

Avoid printing or copying restricted data.

Only the minimum necessary prints / copies may be made. Working copies (prints) containing restricted data should be secured at all times and permanently destroyed (shredded) when no longer needed.

Restricted data should never be printed or copied using a public (non-GW) device.

As a general rule, employees are not allowed to make unofficial copies of restricted data.

No limitations
Disposal Regulated data must be disposed of by using GW IT approved measures, to protect against unauthorized access or disclosure.
Regulated information must be destroyed in a manner such that the information can neither be reconstructed nor be readable.
Restricted data must be disposed of by using GW IT approved measures, to protect against unauthorized access or disclosure. No limitations