Approved Services Decision Matrix

This table indicates which categories of data are allowed on a selection of common IT systems

Cloud Collaboration Services	Category III	Category II	Category I	HIPAA¹	FERPA	SSNs	PCI²	ITAR⁶	IRB
Instant Messaging: Skype for Business⁴	✔︎	✔︎	→	✔︎	✔︎				✔︎
Slack³ (slack.com)	✔︎	✔︎	→		✔︎
Microsoft Teams⁴	✔︎	✔︎	→	✔︎	✔︎				✔︎
Zoom¹	✔︎	✔︎	→	✔︎	✔︎
Canvas	✔︎	✔︎	→		✔︎

Cloud Document Services
Docusign	✔︎	✔︎	→	✔︎	✔︎	✔︎			✔︎

Cloud Messaging/Transfer Services
Email: Office365⁴	✔︎	✔︎	→	✔︎	✔︎
SMS/Texting: Tigertext	✔︎	✔︎	→	✔︎	✔︎	✔︎			✔︎
File Transfer: Accellion	✔︎	✔︎	→	✔︎	✔︎	✔︎			✔︎

Cloud Infrastructure Services (IaaS)
Cloud Infrastructure: Amazon (AWS)⁴, MS Azure⁴	✔︎	✔︎	→	✔︎	✔︎	✔︎	✔︎		✔︎

Cloud Storage Services
Apple iCloud	✔︎
Box (unthsc.box.com)	✔︎	✔︎		✔︎*	✔︎*	✔︎*	✔︎*		✔︎
DropBox⁵ (www.dropbox.com)	✔︎
Microsoft OneDrive⁴	✔︎	✔︎		✔︎	✔︎	✔︎			✔︎

Cloud Survey Services
Survey Tool: Qualtrics (unthsc.qualtrics.com)	✔︎
Form Tool: Formstack(unthsc_secure.formstack.com)	✔︎	✔︎	→	✔︎*	✔︎*	✔︎*	✔︎	✔︎	✔︎

Cloud Web Hosting Services
Content Management: WPEngine( WordPress – unthsc.edu)	✔︎	✔︎

Notes on Cloud Services
¹ HIPAA data has special regulatory requirements; read this for more info. Please note Zoom will need a HIPAA sub-account created for HIPAA compliance. Official HIPAA covered entities should contact the UNTHSC Center for Innovative Learning Desk for assistance in setting this up.
² Payment Card Industry (PCI) data has special regulatory requirements
³ No enterprise contract currently; each department must go through the Contracts Office for their own contract with a FERPA agreement.
⁴ Authorized usage is limited to services provided under the ITS-managed vendor contract to remain compliant. Any use of the standard consumer-grade offerings of these products is not approved. Also, depending on the associated university data for certain cloud infrastructure it may be necessary to implement additional security monitoring. Please consult with the Information Security Officer to determine if monitoring is needed and to understand how we can assist you.
⁵ As there is no university contract in place for DropBox, no usage involving protected or restricted university data is permitted. Use of Dropbox with Confidential data is a violation of the Acceptable Use of Electronic Communications Policy.
⁶It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Information Security Office to determine if there are any other issues or concerns.
* with Information Security Office Consultation

Local Services

For comparison purposes, select services run by ITS and offered to campus are listed below with the types of data that are approved for use with each. Use of locally hosted services is encouraged over cloud services when possible. This table is not intended to be a comprehensive list of all ITS offered services.

Local Service	Published	Controlled	Confidential	HIPAA¹	FERPA	SSNs	IRB
Database Hosting: ITS-Supported MySQL, SQLServer	✔︎	✔︎	→	✔︎	✔︎	✔︎	✔︎
File Storage: UNTHSC FIle shares	✔︎	✔︎	→		✔︎	✔︎	✔︎
Virtual Servers	✔︎	✔︎	→	✔︎	✔︎	✔︎	✔︎

Notes on Local Services
¹ HIPAA data has special regulatory requirements; read this for more info.
² Payment Card Industry (PCI) data has special regulatory requirements;
³ It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Information Security Office to determine if there are any other issues or concerns.

Approved Services Decision Matrix

Local Services

Quick links

Resources

Connect with us

Approved Services Decision Matrix

Local Services

Quick links

Resources

Connect with us

Social media