A team at Arizona State University developed two self-service tools to help staff, faculty, researchers, and student employees classify and store institutional data in compliance with privacy and regulatory requirements by guiding data classification and mapping results to approved storage options.
Institutional Profile
Arizona State University (ASU) is a public research university in Tempe, Arizona, with multiple campuses across the Phoenix metropolitan area and a significant national online presence. As one of the largest universities in the United States by enrollment, ASU serves more than 183,000 students through a combination of in-person and online programs. The university employs more than 5,400 faculty members and approximately 21,750 staff, making it one of the largest employers in Arizona. The scale and decentralized structure of ASU create both opportunities and challenges for enterprise-wide data governance and technology services. The Enterprise Technology division plays a central role in supporting ASU's digital infrastructure and creating innovative ways to meet the needs of students, researchers, faculty, and administrators while ensuring that institutional data remains secure.
The Challenge/Opportunity
At ASU, as at many large, decentralized institutions, managing data storage presents a significant challenge. Faculty, staff, and researchers often handle data that is sensitive, regulated, or both. For example, researchers in the sciences conduct studies that involve the collection of personal medical information, and student workers assist in admitting or registering students from EU countries that have their own privacy laws. However, faculty, staff, researchers, and student workers may not always fully understand which rules apply to data storage or how to implement them. Indeed, part of what makes storing sensitive data complicated is an alphabet soup of regulations, including the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR). In addition, many end users lack the technical expertise to ensure data is stored securely.
For many years, ASU relied on the Data Classification Matrix, a Google Sheet that users consulted to identify and label the type of data they were using and to see the range of systems available for each category. However, the spreadsheet was often out of date, leading users to reach out directly to the Enterprise Technology team. Ben Archer, privacy manager at ASU, said that he would spend a few hours nearly every week answering emails about data classification.
The challenge extended beyond inefficiency to increased institutional risk. Without a complete understanding and clear, accessible guidance, users risk improper data storage, increasing the likelihood of data breaches, compliance violations, or compromised research integrity. "A worst-case scenario for us would be an incident where data would be leaked because it was improperly stored or classified," said Bri Mascheri, security operations center lead.
So, in early 2024, ASU Enterprise Technology began seeking a more effective tool than the Data Classification Matrix to guide users on storing sensitive data. The core team working on this effort included Archer, Mascheri, Olli Honkkila, a data governance and administration manager, and Rachel Clark, a senior cybersecurity analyst. Audrey Brockhaus, a Drupal developer, provided crucial support to the project. During the project, the team discovered that they were addressing a two-part problem that required a pair of complementary tools.
Process
As the Enterprise Technology team sought to manage the storage of sensitive data, they realized they were missing a key step. Before end users could choose the right storage solution, they needed to understand what kind of data they had. Only after clarifying that information could users understand where their data should be appropriately stored. The team settled on a plan to develop a pair of tools: one to navigate data classification and another to select data storage.
To develop the first tool, the team began by brainstorming the questions a user might ask about their data and mapping logic flows on a whiteboard. This work evolved into a decision tree, which the team refined through consultations with stakeholders across campus, including the privacy and data governance advisory committee, legal counsel, regulated data officers, IT leads, and research data stewards.
At each stage of the process, the Enterprise Technology team solicited feedback from stakeholders to clarify language, align interpretations of regulatory requirements, and ensure the tools would be accessible even to users without technical backgrounds. As outreach expanded across ASU, the team discovered something surprising. Nearly half of the groups they spoke to in the learning and feedback phase had already tried to address data classification within their own silos, but none had developed an effective solution. "They were ecstatic to hear there was finally a project launched," Mascheri said. This phase also informed the wording and classification logic of the emerging tool. "We got a lot of verbiage suggestions that made the questions make more sense for folks who were nontechnical and didn't understand the regulations," Archer added.
After several months of iteration, the team partnered with internal web developers at ASU to build the new Data Classification Tool. The result is a self-service wizard built in Drupal that guides users through a structured series of yes-or-no questions to classify data. These questions determine whether the data contains sensitive information or information about a person. Additionally, the process identifies the origin of the data, such as the United States or the European Union. Based on user responses, the tool evaluates the regulatory context, identifies applicable requirements such as FERPA or GDPR, and classifies the data into one of four categories: public, internal, sensitive, or highly sensitive (see Figures 1 and 2).
Figure 1. Example of Data Classification Decision Tree
Figure 2. Text for Determining Data Classification and Regulatory Requirements
The Data Classification Tool also provides links to relevant resources. For example, if a dataset is subject to GDPR and FERPA, then the tool directs the user to ASU webpages on each regulation and highlights best practices for handling that specific type of data. Helpful tips and contextual information are built into every step, ensuring that even nontechnical users can confidently navigate the tool without getting stuck or confused. "All regulated data is sensitive," Archer explained. "So, the tool doesn't just say what category your data falls into. It also tells you what that means, what regulations apply, and where to go for more information."
When it came time to develop a tool to guide data storage decisions, the team adapted a Cornell University Data Storage Finder module. The module was relatively easy to configure, so most of the effort went into identifying and vetting appropriate storage solutions.
The team initially mapped existing ASU documentation to vendor certifications, but that approach proved insufficiently granular for consistent use within the tool. Instead, the team mapped more than one hundred regulatory controls drawn from frameworks such as FedRAMP, HIPAA, and GDPR. Each control was linked to specific compliance artifacts, including SOC 2 reports and the ASU Vendor IT Risk Assessment process. The team then evaluated which storage platforms met compliance requirements under a shared responsibility model.
That information populated the resulting Data Storage Selector Tool, which helps users identify compliant storage options based on their data classification and associated regulations. Users enter their data classification and regulatory requirements, determined through the classification tool, and the selector returns a list of approved storage solutions, such as cloud services and local storage resources, that meet the necessary security and compliance standards.
Alternatively, users can begin by selecting the storage services they are interested in and use a comparison table to determine which option best fits their needs (see Figure 3).
Figure 3. Data Storage Selector Tool Interface
Every recommended storage option provides details on how to maintain compliance through encryption or role-based access. Each entry also lists the date of the last compliance review.
The development process for both tools spanned approximately nine months. During that time, the tools were tested, refined, and iteratively improved to make them easy to understand, regardless of the end user's technical expertise. By fall 2024, they were ready to be deployed.
The next step was raising awareness about these resources. Rather than relying on trickle-down communication from department heads, the team decided to present the tools directly to the people who needed them: researchers, staff, faculty, and student workers. They planned the launch months in advance, bringing in members of the division's marketing and communications team to help develop targeted presentations, email campaigns, and website banners, and organize appearances at campus events. They also created an email address and Slack channel where users could ask questions.
This communication strategy required significant coordination, Clark explained, but it helped the tools become widely adopted across the ASU user base much more quickly. "It's really exciting when you're in a Slack chat, and someone asks about data classification, and someone not on our team says, 'Have you checked out this tool yet?'"
Outcomes and Lessons Learned
The tools reduced the need for direct staff intervention and supported consistent data handling across departments. The impact of the tools spread across ASU, with measurable outcomes that demonstrate their effectiveness:
- In the first year, the tool facilitated more than 425 data classification submissions, many of which would have previously required a response and personal intervention from Enterprise Technology.
- More than twenty-five departments used the tool to assist with a major data migration, and the team received no questions during the process.
- More than twenty other institutions expressed interest in adopting ASU tools after the team presented at the May 2025 EDUCAUSE Cybersecurity and Privacy Professionals Conference.
The Enterprise Technology team is now working with ASU web developers to create a version of the Data Classification Tool that other institutions can adopt for their own needs and to streamline their documentation so it can be shared as a resource. They offer the following tips for other institutions planning to develop similar tools.
Document Everything
Documentation was a top priority throughout the project. Every workflow, decision tree, and regulatory mapping was captured in a way that others could follow and update. The team knew from experience how much risk is involved in relying on one person's institutional knowledge, so they designed the project to ensure continuity despite staff turnover.
Listen to Your Customers
The success of the project hinged on the simple act of listening to what people were asking for, then building the right solution. Feedback from end users was built into every stage of development. As Archer said, "If we have a subject matter expert who said this is the right way to solve the problem, then we need to trust them, believe them, and move forward in that way."
Engage Stakeholders Early and Make Them Part of the Solution
One of the most effective strategies the ASU team used was actively involving stakeholders, including some of the biggest critics of the previous tool. "We communicated with all sorts of stakeholders a lot—not just at the beginning and the end, but during the whole project," Honkkila said.
This approach not only improved the functionality of the tool but also fostered a sense of shared ownership. Those who were among the toughest critics of the previous tool became some of the most vocal champions of the new ones. "Engaging stakeholders created shared ownership across our colleagues," Mascheri said. "We are all a part of this as a team, investing in the data that we work with every day and investing in our data culture."
Where to Learn More
- "Cybersecurity Spotlight: Meet the Engineer Defending Sun Devils' Data": A Q&A with Senior Cybersecurity Operations Engineer Bri Mascheri in which she shares cybersecurity best practices and outlines digital threats facing higher education.
- "ASU Enterprise Technology Introduces Two New Tools for Secure Data Handling": A press release introducing the ASU Data Storage Selector and Data Classification Tools, including how these resources help users identify data types and find compliant storage solutions.
- "I Have This Data: What Is It, and Where Do I Put It? — Making Data Classification and Storage Decisions,": A presentation given at the May 2025 EDUCAUSE Cybersecurity and Privacy Professionals Conference about how ASU developed a self-service wizard to guide users through regulatory requirements and approved storage solutions.
Jessie Kwak is a Writer with McGuire Editorial & Consulting.
© 2026 EDUCAUSE. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License