Regulations and Standards Compliance Matrix
|
RIT Departments |
Regulatory Requirement |
Type of Data to Protect |
Data Classification |
Comments |
|
Financial Aid Office |
NIST 800-171/GLBA/FERPA |
CUI/PII |
Sensitive, Private |
Must be processed, stored and transmitted securely. Access you be given to only those need to know. |
|
NTID Audiology |
HIPAA |
EPHI |
Confidential, Private |
The appropriate administrative, physical, and technical safeguards must be in place to ensure confidentiality, integrity, and availability of the ePHI that it is created, receives, maintains, or transmits are secure. |
|
Research Computing |
NIST 800-171:CMMC |
CUI |
Sensitive, confidential and private |
Must be processed, stored and transmitted securely with the right markings. |
|
Payment Card Processors (Business Units) |
PCI DSS Requirements |
Cardholder data |
Private |
PAN and SAD should never be stored by any business unit. All payment card processors must adhere to the PCI DSS 12 requirements. |
Acronyms:
CMMC - Cybersecurity Maturity Model Certification
CUI - Controlled Unclassified Information
EPHI - Electronic Protected Health Information
PAN - Primary Account Number
PCI SCC - Payment Card Industry Security Standard Council
SAD - Sensitive Authentication Data
GLBA - Gramm Leach Bliley Act
HIPAA - Health Insurance Portability and Accountability Act
Resources
https://www.rit.edu/security/content/rit-information-handling-and-servi…
https://www.rit.edu/security/content/information-access-protection-stan…
https://www.archives.gov/cui/registry/category-marking-list
https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf