Standard and Process

See the specific requirements in the Data Storage and Backup & Recovery Standard in the University Policy Library. The following supplements the requirements in University policy.

Data Storage

Data (including databases) must be stored to comply with regulations or contractual agreements related to data storage and to maintain the confidentiality, integrity, and availability of the data.

Storing or transferring University private data to a vendor or non-University internet site/system requires an approved University contract.

Any incidental and unintended storage of files in the browser or other cache files on personally owned computers and media; or email/email attachments must be deleted as soon as possible.

Use encryption to protect the data.

Staff and faculty traveling internationally must not transport export-restricted data or software outside of the U.S. The Office of the General Counsel and the Office of International Programs can provide guidance. University private data should be removed from laptops, devices, or media before traveling. Store the minimum data necessary for the trip. All other files should be securely deleted (old email, old files, etc). A departmental travel or rental computer should be used. For current international travel requirements, see the official US travel site.

Backup & Recovery of Data

Data (including databases) must be recoverable based on business needs. The physical security of backups must be maintained and periodically reviewed to meet compliance or regulatory requirements.

The extent (e.g., full or differential backup) and frequency need to take into account the legal or contractual obligations and the criticality to the continued operation of the University.

Backup testing includes monitoring the backup and restoration time. Perform the testing on test media and not on the original media in case the backup or restoration process fails and causes irreparable data damage or loss.

Operational procedures need to include monitoring the execution of backups, addressing failures of scheduled backups, and documenting the actions taken.

Technical staff are responsible for working with users, data owners, data custodians, and service owners to

  • develop data storage options for University data;
  • work with users, data owners, data custodians, and service owners on where to store data;
  • develop and review data backup and recovery plans and procedures for University data;
  • designate facilities or locations for storing backups.

Users, data owners, data custodians, and service owners are responsible for working with Technical staff to 

  • understand and follow the data storage requirements for the data they store;
  • understand and follow the data backup plan, secure storage practices and recovery options for the data they store.

Data owners are responsible for publicly available information.

See the Information Security policy appendices for additional information security standards that also apply.

More Information

Document Management

Document Responsibility and History
Document Owner Document Approvers Effective Date Last Reviewed Date
University Information Security

Brian Dahlin,
Chief Information Security Officer

Bernard Gulachek,
VP of Information Technology and Chief Information Officer

August 2010 May 2019