Regulations and Standards Compliance Matrix

RIT Departments

Regulatory Requirement

Type of Data to Protect

Data Classification

Comments

Financial Aid Office

NIST 800-171/GLBA/FERPA

CUI/PII

Sensitive, Private

Must be processed, stored and transmitted securely. Access you be given to only those need to know.

NTID Auditology

HIPAA

EPHI

Confidential, Private

The appropriate administrative, physical, and technical safeguards must be in place to ensure confidentiality, integrity, and availability of the ePHI that it is created, receives, maintains, or transmits are secure.

Research Computing

NIST 800-171:CMMC

CUI

Sensitive, confidential and private

Must be processed, stored and transmitted securely with the right markings.

Payment Card Processors (Business Units)

PCI DSS Requirements

Cardholder data

Private

PAN and SAD should never be stored by any business unit. All payment card processors must adhere to the PCI DSS 12 requirements.

Acronyms:

CMMC - Cybersecurity Maturity Model Certification
CUI - Controlled Unclassified Information
EPHI - Electronic Protected Health Information
PAN - Primary Account Number
PCI SCC - Payment Card Industry Security Standard Council
SAD - Sensitive Authentication Data
GLBA - Gramm Leach Bliley Act
HIPAA - Health Insurance Portability and Accountability Act

Resources

https://www.rit.edu/security/content/rit-information-handling-and-servi…
https://www.rit.edu/security/content/information-access-protection-stan…
https://www.archives.gov/cui/registry/category-marking-list
https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf