Approved Services Decision Matrix

This table indicates which categories of data are allowed on a selection of common IT systems

Cloud Collaboration Services
Category III
Category II
Category I
HIPAA1
FERPA
SSNs
PCI2
ITAR6
IRB
Instant Messaging: Skype for Business4 ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Slack3 (slack.com) ✔︎ ✔︎ ✔︎
Microsoft Teams4 ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Zoom1 ✔︎ ✔︎ ✔︎ ✔︎
Canvas ✔︎ ✔︎ ✔︎
Cloud Document Services
Docusign ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Cloud Messaging/Transfer Services
Email: Office3654 ✔︎ ✔︎ ✔︎ ✔︎
SMS/Texting:  Tigertext ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
File Transfer:  Accellion ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Cloud Infrastructure Services (IaaS)
Cloud Infrastructure: Amazon (AWS)4, MS Azure4 ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Cloud Storage Services
Apple iCloud ✔︎
Box (unthsc.box.com) ✔︎ ✔︎ ✔︎* ✔︎* ✔︎* ✔︎* ✔︎
DropBox5 (www.dropbox.com) ✔︎
Microsoft OneDrive4 ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Cloud Survey Services
Survey Tool: Qualtrics (unthsc.qualtrics.com) ✔︎
Form Tool:  Formstack(unthsc_secure.formstack.com) ✔︎ ✔︎ ✔︎* ✔︎* ✔︎* ✔︎ ✔︎ ✔︎
Cloud Web Hosting Services
Content Management: WPEngine( WordPress – unthsc.edu) ✔︎ ✔︎
Notes on Cloud Services
1 HIPAA data has special regulatory requirements; read this for more info. Please note Zoom will need a HIPAA sub-account created for HIPAA compliance.  Official HIPAA covered entities should contact the UNTHSC Center for Innovative Learning Desk for assistance in setting this up.
2 Payment Card Industry (PCI) data has special regulatory requirements
3 No enterprise contract currently; each department must go through the Contracts Office for their own contract with a FERPA agreement.
4 Authorized usage is limited to services provided under the ITS-managed vendor contract to remain compliant. Any use of the standard consumer-grade offerings of these products is not approved. Also, depending on the associated university data for certain cloud infrastructure it may be necessary to implement additional security monitoring. Please consult with the Information Security Officer to determine if monitoring is needed and to understand how we can assist you.
5 As there is no university contract in place for DropBox, no usage involving protected or restricted university data
is permitted. Use of Dropbox with Confidential data is a violation of the Acceptable Use of Electronic Communications Policy.
It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should
consult with the Information Security Office to determine if there are any other issues or concerns.
* with Information Security Office Consultation

Local Services

For comparison purposes, select services run by ITS and offered to campus are listed below with the types of data that are approved for use with each. Use of locally hosted services is encouraged over cloud services when possible. This table is not intended to be a comprehensive list of all ITS offered services.

Local Service
Published
Controlled
Confidential
HIPAA1
FERPA
SSNs
PCI2
ITAR
IRB
Database Hosting: ITS-Supported MySQLSQLServer ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
File Storage: UNTHSC FIle shares ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Virtual Servers ✔︎ ✔︎ ✔︎ ✔︎ ✔︎ ✔︎
Notes on Local Services
1 HIPAA data has special regulatory requirements; read this for more info.
2 Payment Card Industry (PCI) data has special regulatory requirements;
3 It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should
consult with the Information Security Office to determine if there are any other issues or concerns.

 

This page was last modified on September 16, 2020