Topics Map > Services > Security > Data and Document Standards

Data and Document Standards - Data Standards

Below is a list of best practices for data standards and protections.

Best Practices for Sensitive Data

  • All data must be classified.
  • All data access must be authorized under the principle of least privilege and based on minimal need.
  • All access to confidential data must be authenticated and logged.
  • When an individual has been granted special access changes responsibilities or leaves employment, all thier access rights must be reevaluated and any unneeded access removed.
  • When necessary, data transmission and storage should be encrypted.
  • Follow Guidelines for Protecting Sensitive Data 

Laws and Regulations

Federal laws that protect personal data
  • FERPA (Family Education Rights and Privacy Act), 1974.  This law protects student information such as SSN, some demographic information, grades, and other student records.
  • GLBA (Graham Leech Bliley Act), 2000. A law designed to protect personal financial information such as financial aid, banking, credit, and investment information.
State laws and other standards that protect personal data
  • ND Privacy Law, 2006, protects personal data. NDSU is required to report to the owner of the data if a breach has occurred and if information has become compromised or stolen.
  • North Dakota Public Records Statute, North Dakota Century Code 44-04,  defines what is and isn't a public record and/or what data can be made available for public view.

NDSU and NDUS Policies

NDUS Policies and Procedures
NDSU Policies and Procedures

Data Classification

The North Dakota University System Data Classification Standard was developed to identify and clarify the definition of data types within a university.  Any data asset of the NDUS or the Institution shall be classified as Public, Private, or Confidential.
Public data is defined as data that any entity either internal or external to the ND University System can access.  The Open Records law of North Dakota may apply.
Confidential data is information that the NDUS or Institution is under legal or contractual obligation to protect from disclosure, alteration or destruction. The disclosure, use, or destruction  of confidential data can have adverse affects on the NDUS or Institution and possibly carry significant civil, fiscal, or criminal liability. The availability and use of confidential data will be restricted to selected, authorized employees whose job function necessitates access to the data and to third parties pursuant to valid legal inquiries.
The owner of the data is the one whom the data belongs to. For example, a person owns his/her social security number, date of birth, and address.
The custodians of such data are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner/custodian of the data to classify the data.  However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data as mandated by law.  Any data not yet classified by the owner/custodian shall be deemed Confidential.  Accerss to data items may be further restricted by law, beyond the classification systems of the NDUS or NDSU.

Protect Credit Card Information

Credit card information is protected under the Payment Card Industry Data Security Standards and by various federal and state laws.  When accepting, using, and storing credit card information, these guidelines must be followed.
  • Do not store or write down the full credit card number. If there is a business need to store credit card information, only the last four digits can be stored electronically or in hard copy.
  • Do not store or write down the CVV2 (Credit card validation value - the three or four digits located on the back of the credit card).
  • Do not store or write down the expiration date
  • Credit card receipts must only show the last four digits of the card.  The CVV2 and/or the expiration data must not be printed on the receipt.
  • Do not accept credit card information over e-mail. If you receive a credit card over e-mail, delete the message and remove it from the Deleted Items folder.
  • If credit card information is received over voice mail, delete immediately.
  • There must be separation of duties for accepting and processing credit cards, within offices.
NDSU uses a secure third party vendor, TouchNet, to accept credit cards online. Please contact NDSU Customer Account Services for more information on how to use this service.
For more information on credit card information and safekeeping: