Confirm data type
Use the data classification worksheet and UAB's public, sensitive, and restricted/PHI requirements to identify the data involved.
Data ClassificationUAB IT product and contract intake
Technology Contract & Product Review
UAB IT reviews technology-related contracts, software, products, and services before execution to evaluate security, data protection, and IT implementation needs such as single sign-on, installation, integrations, and support.
Start with IT review. After IT approval, submit the contract through UAB Contract Management and include your ServiceNow RITM number.
How the review works
Complete the IT review before sending the contract through UAB Contract Management for legal review.
Gather documents
Use the finder or reference cards below to collect the contract, use case, security review, BAA, research, or equipment documents that apply.
View requirementsSubmit IT request
Send the product or contract review request to UAB IT through ServiceNow with the required documents attached.
Open ServiceNow formFinish in CMS
After IT approval, submit to UAB Contract Management and include the ServiceNow RITM number.
Open CMS informationHR data note
If you need access to HR data, contact HR Information Systems before submitting to UAB IT at
Data classification
Use data risk to choose the path
All UAB data stored, processed, or transmitted must be classified. The finder uses these simplified categories to point users toward the likely document set.
Public Data
Low-risk data UAB has chosen or is required to disclose publicly, such as public websites, course catalogs, public research findings, press releases, and newsletters.
Sensitive Data
Moderate-risk confidential data. Examples include FERPA, budgetary plans, proprietary business plans, patent-pending information, and data protected by law.
Restricted/PHI Data
High-risk or highly confidential data, including HIPAA, PHI, SSNs, credit card numbers, GLBA, export-controlled data, FISMA data, login credentials, and NDA-protected information.
Classification checkpoints
Work through these sections in order. When a checkpoint applies, route the request according to the highest-risk data involved.
Checkpoint 1 Is the data subject to regulatory, standard, grant, or contractual protection requirements?
Review the data set for any of the following requirements. The label on each item shows the classification path it triggers.
Sensitive
FERPA student data without SSN
Restricted
Student data with SSN
Restricted
HIPAA, PHI, or ePHI
Restricted
GLBA student financial aid data
Restricted
Export-controlled data
Restricted
CMMC or DoD requirements
Restricted
PCI credit card data
Restricted
GDPR or EU citizen PII
Sensitive
Grant privacy requirements
Restricted
Grant privacy and security requirements
Sensitive
Contract privacy requirements
Restricted
Contract privacy and security requirements
Checkpoint 2 Does the data contain personally identifiable information?
Personally identifiable information maps to the restricted path in this worksheet because it can distinguish, trace, or logically associate information with a specific individual.
RestrictedFull name, alias, maiden name, or mother’s maiden name
RestrictedSocial Security number
RestrictedPassport number
RestrictedDriver’s license number
RestrictedTaxpayer identification number
RestrictedPatient identification number
RestrictedFinancial account or credit card number
RestrictedStreet address
RestrictedEmail address
RestrictedMobile, business, or personal phone numbers
RestrictedPhotographic image
RestrictedX-rays
RestrictedFingerprints or biometric images
RestrictedDate or place of birth
RestrictedRace, religion, weight, or activities
RestrictedGeographic indicators
RestrictedEmployment information
RestrictedMedical, education, or financial information
Checkpoint 3 Does the data contain protected health information?
Protected health information maps to the restricted path. To be considered de-identified, all 18 HIPAA identifiers must be removed.
RestrictedName
RestrictedAddress or geographic subdivision smaller than state
RestrictedDates related to an individual, except year
RestrictedTelephone number
RestrictedFax number
RestrictedEmail address
RestrictedSocial Security number
RestrictedMedical record number
RestrictedHealth plan beneficiary number
RestrictedAccount number
RestrictedCertificate or license number
RestrictedVehicle identifier or license plate number
RestrictedDevice identifier or serial number
RestrictedWeb URL
RestrictedIP address
RestrictedFinger or voice print
RestrictedPhotographic image
RestrictedAny other unique identifying characteristic
Checkpoint 4 If none of the above apply, answer the final classification questions
Public path
Is the data already publicly available, or does UAB wish to publicize the data?
Sensitive path
Is the data confidential and limited to UAB or approved third parties with authorization to access and view it?
Restricted path
Is the data highly confidential, limited by strict need-to-know access, or likely to cause major harm to UAB if exposed?
Interactive guide
Find your likely required documents
Answer a few routing questions to identify the likely review path and document set. Final review may adjust the path if data type or system scope changes.
Classification reminder
Free software still needs the correct review path if it stores, processes, transmits, or accesses UAB data.
Document finder
Question 1 of up to 4
Reference
Required documents by review path
Compare requirements across paths in the table, or use cards for a readable summary.
Fast track CDA / NDA
Clear the confidentiality step before product review
Use this path when a vendor will not share security documents until an NDA is signed. The CDA helps unlock the vendor documents; it does not replace the IT product or contract review.
CDA fast-track flow
Complete these steps before asking the vendor for the documents needed for the product review.
-
Send UAB's CDA
Ask the vendor to sign the UAB CDA rather than starting with the vendor's NDA.
-
Route for signature
After the vendor returns the CDA, submit it through Contract Management for official UAB signature.
-
Request documents
Once both signatures are complete, send the CDA back to the vendor and request the review documents.
Vendor only has a portal?
If the vendor refuses to send documents and only provides a security portal, include the portal link in the IT review request.
Then continue normal review
After the CDA step, use the document finder or comparison table above to confirm what must be attached.
Planning
Estimated turnaround time
Turnaround starts after the request and all required documentation have been provided. EISO reviews contracts involving Sensitive and Restricted/PHI data.
Public Data
1–2 business days
Typical when documentation is complete.
Sensitive Data
1–7 business days
Depends on security documentation and data use.
Restricted/PHI or HSIS
Varies
No fixed SLA. Updates will be provided through the RITM.
Common situations
Do I submit to IT or Contract Management first?
Submit to IT first for product or contract review. After IT approval, submit through UAB Contract Management and include the RITM number.
What if the vendor provides SOC2 instead of HECVAT?
SOC2, ISO 27001, CSA CAIQ, and HSIS RA are listed alternatives for Sensitive and Restricted/PHI reviews. HECVAT Lite is preferred for Sensitive; HECVAT Full is preferred for Restricted/PHI.
What if PHI or ePHI is involved?
Treat PHI/ePHI as Restricted/PHI and determine whether HSIS or EISO approval applies. A BAA may be required for business associates.
What if I am not sure which path applies?
Use the document finder, include what you know in the ServiceNow request, and attach the most conservative documentation available. Final routing can be adjusted during review.
Ready to submit?
Attach the required documents and submit your product/contract review request to UAB IT.
Designated Technology FAQ
-
Are there approved technology tools that are not on the Designated Technology Systems list?
Yes. The Designated Technology Systems list is not intended to be an exhaustive list of every technology tool approved for use at UAB; rather, it is a list of technologies designated as the preferred or authoritative tool for certain use cases. Tools also approved for use at UAB include:
- All tools and software included in the IT Service Catalog and IT Software Center.
- All modules, libraries and tools included in the Cheaha high-performance computing system.
- Web browsers including Chrome, Safari, Edge and others.
-
With the Designated Technology Systems list in place, will I be prohibited from purchasing solutions that work for our research needs, in favor of existing, centralized tools?
You will not be prohibited from purchasing solutions that work for research or other purposes as long as they comply with UAB security and procurement policies.
-
If a tool I want to use for another purpose has already been approved for a different use case, will the review process be streamlined?
UAB will follow the existing technology contract and product review process, which includes estimated turnaround times based on data classification. Over the last seven years, UAB IT has delivered according to these service level agreements 99.56 percent of the time.
-
Is UAB reviewing AWS and AI-based software, such as notetaking software?
UAB has an enabling agreement with Microsoft and Salesforce for cloud environments. UAB is actively pursuing enabling agreements with Amazon and Google. You can review UAB-approved AI tools. Many more AI tools remain under review.
-
Why are there delays in approving technology tools?
UAB IT remains committed to a streamlined but effective review of software. That review is based on data classification and risk with three service level agreements in place:
- If the software processes public data only, the software review is the same business day and in most cases, instantaneous.
- If the software processes sensitive data, the software review will occur within five business days.
- If the software processes restricted data, the software review will occur as quickly as possible. Depending on the use case, UAB IT or HSIS will be responsible for that review.
Over the last seven years, UAB IT has delivered according to these service level agreements 99.56% of the time. Please note this applies to campus procurements through UAB IT. It does not apply to procurements that go through HSIS.
-
Does the technology approval process mean that UAB is trying to restrict research software requests?
UAB’s policy does not seek to standardize research software that is discipline specific. If the research software has widespread adoption or application, then UAB would be interested in considering adding it to the Designated Technology Systems list.
-
Can software written or developed in-house as part of R&D and that we might distribute to colleagues to enable their research be approved for use at UAB?
If locally developed research software has widespread adoption or application, then UAB would be interested in considering adding it to the Designated Technology Systems list.
-
My department uses unique software. Does UAB process or policy restrict discipline-specific software?
UAB policy does not seek to standardize research software that is discipline specific.
-
Can UAB develop department-specific guidelines that recognize the unique needs of research software, ensuring both security and flexibility?
UAB is not seeking to apply a one-size-fits-all approach to research software unless there is widespread use and adoption of the software at UAB.
-
The Designated Technology Systems list does not include software I typically use. What can I do about this?
Follow the process outlined for review of IT-related tools and contracts.
-
Do software upgrades require a review?
Software updates do not require a review unless the data classification changes.
-
I am using a machine learning software. Does this need to be approved?
Machine learning is a type of AI and needs to be approved. It will be reviewed through a risk-based evaluation.
-
Can I use cloud-based systems used by research funding agencies and journals?
Yes, those are exempt from the purchasing process.
-
I am running an HSIS app on a campus system. Can I do this?
You should contact HSIS for guidance and approval.
-
Are the modules supported by the Cheaha high-performance computing system included in the Designated Technology Systems list?
Yes.
-
If I have contracts with software vendors that are not on the Designated Technology Systems list or in the IT Service Catalog, can they be grandfathered?
If the contracts went through UAB procurement and security review then they are approved. If they did not, they need to be reviewed.
UAB Designated Technology Systems
UAB maintains approved technology tools that are the authoritative data source for a given data element or piece of information, or the UAB resourced and preferred tools for a specific function. The chart below lists the approved technology tools, along with their functions and the users who may have access to them. Eligibility can vary by use case. You can sort by column and search the list.
| System | Functionality | Users | Usage |
|---|---|---|---|
| Canvas | Learning management system | Faculty/students | Academic Technologies |
| Matlab | Analytical software, Math, Data Science | Students/faculty/staff | Academic Technologies |
| SAS | Analytical software, Math, Data Science | Students/faculty/staff | Academic Technologies |
| GitLab | Code repository | Academic Technologies | |
| E2E Scheduling | Counselor/student scheduling | Staff/student | Academic Technologies |
| xTender | Document management | Staff/faculty | Academic Technologies |
| Profiles | Faculty activity reporting | Faculty | Academic Technologies |
| Tessitura | Online event ticketing | Staff | Academic Technologies |
| TurnItIn | Plagiarism detection | Faculty | Academic Technologies |
| EndNote | Reference management | Faculty/Staff/Students | Academic Technologies |
| Camtasia | Screen recorder, video editor | Faculty | Academic Technologies |
| Banner | Student information system | Faculty/Students | Academic Technologies |
| ProctorU | Student proctoring | Students | Academic Technologies |
| Mathematica | Analytical software, Math, Data Science | Faculty/Staff/Students | Academic Technologies |
| EllucianCRM Advance | Alumni and donor CRM | Advancement | Advancement Technologies |
| Salesforce Salescloud | Email marketing, recruitment, admissions | Staff | Marketing and Web Technologies, Advancement Technologies |
| Anthology Encompass | Online Alumni portal and donor giving platform | Staff | Advancement Technologies |
| GiveCampus | Online crowdfunding giving platform | Staff | Advancement Technologies |
| DonorSearch | Donor insights and identification tool | Staff | Advancement Technologies |
| Candid | Foundation Research Tool | Staff | Advancement Technologies |
| Pentera | Planned Giving Communications | Staff | Advancement Technologies |
| ThankView/Evertrue | Short Video Donor Engagement | Staff | Advancement Technologies |
| Paciolan | Donations and ticket sales | Athletics | Athletics Technologies |
| Azure | Cloud | Faculty/Staff | Common User Technologies |
| Adobe Creative Cloud | Work productivity and creative services | Students/Faculty/Staff | Common User Technologies |
| Adobe Sign | Electronic signature | Students/Faculty/Staff | Common User Technologies |
| UABFile | File services | Faculty/Staff | Common User Technologies |
| Box | Research storage | Faculty/Staff | Common User Technologies |
| Citrix | Desktop virtualization | Faculty/Staff | Common User Technologies |
| Lsoft Listserv | Email management | IT staff | Common User Technologies |
| Microsoft Active Directory | Directory service | IT staff | Common User Technologies |
| Bookings | Appointment scheduler | Faculty/Staff | Common User Technologies |
| Copilot with Data Protection | AI Tool | Faculty/Staff/Students | Common User Technologies |
| LDAP | Directory service | IT staff | Common User Technologies |
| Teams | Chat, storage, video conferencing | Faculty/Staff/Students | Common User Technologies |
| Dev Ops | Code repository | IT Staff | Common User Technologies |
| Visio | Diagram creation | Faculty/Staff | Common User Technologies |
| OneDrive | Academic storage | Faculty/Staff/Students | Common User Technologies |
| Exchange | Faculty/Staff/Students | Common User Technologies | |
| In-Tune | Endpoint protection | IT Staff | Common User Technologies |
| Project | Project management system | Faculty/Staff/Students | Common User Technologies |
| Planner | Project work | Faculty/Staff | Common User Technologies |
| PowerBI | Reporting | Faculty/Staff | Common User Technologies |
| Tableau | Reporting | Faculty/Staff | Common User Technologies |
| Forms | Public survey Tool | Faculty/Staff/Students | Common User Technologies |
| Qualtrics | Public survey tool | Faculty/Staff/Students | Common User Technologies |
| Zoom | Video conferencing | Staff/Faculty/Students | Common User Technologies |
| Axiom | Budgeting | Staff | Financial and HR Technologies |
| BenefitFocus | Benefits | Faculty/Staff | Financial and HR Technologies |
| Blackboard Transact | Dining transaction software | Staff | Financial and HR Technologies |
| OnBase | Document and process management | Faculty/Staff | Financial and HR Technologies |
| Sunflower | Asset management system | Staff | Financial and HR Technologies |
| Taleo | Employee recruiting | Staff | Financial and HR Technologies |
| PeopleAdmin | Faculty recruiting | Faculty | Financial and HR Technologies |
| Oracle Enterprise Business Suite | Finance and payroll; human resources | Faculty/Staff | Financial and HR Technologies |
| Docebo | Learning management system for HR | Faculty/Staff | Financial and HR Technologies |
| TouchNet | Payment gateway and student cashiering | Staff | Financial and HR Technologies |
| Kronos | Timekeeping | Staff | Financial and HR Technologies |
| Beyond Trust | Desktop remote support | IT Staff | UAB IT Technologies |
| Microsoft SCCM | Patch management | IT Staff | UAB IT Technologies |
| Jamf | Apple patch management | IT Staff | UAB IT Technologies |
| FileIO | File workflow | Faculty/Staff | UAB IT Technologies |
| Grouper | Group management | IT Staff | UAB IT Technologies |
| IDM | Identity management | IT Staff | UAB IT Technologies |
| ServiceNow | Ticketing system, CMDB | IT Staff | UAB IT Technologies |
| Redhat | Operating system | Faculty/Staff | UAB IT Technologies |
| Enterprise Linux | Linux operating system | Faculty/Staff | UAB IT Technologies |
| Satellite | Linux patch management | IT Staff | UAB IT Technologies |
| Campus M | Mobile application | IT Staff | UAB IT Technologies |
| EMS | Room scheduling | Faculty/Staff | UAB IT Technologies |
| Shibboleth | SAML-based authentication | IT Staff | UAB IT Technologies |
| SolarWinds | Server and system monitoring | IT Staff | UAB IT Technologies |
| Commvault | Server backup and restore | IT Staff | UAB IT Technologies |
| Cyberark | Server privileged access management | IT Staff | UAB IT Technologies |
| CAS | Single sign-on | IT Staff | UAB IT Technologies |
| VMWare | Server virtualization | Faculty/Staff | UAB IT Technologies |
| ControlM | Workflow management | IT Staff | UAB IT Technologies |
| Joomla | Web authoring | Staff | Marketing and Web Technologies |
| WordPress | Web authoring | Faculty/Staff | Marketing and Web Technologies |
| ESM | Content management | Staff | Marketing and Web Technologies |
| SCALA | Digital signage | Faculty/Staff | Marketing and Web Technologies |
| Marketing Cloud | Email, texting | Staff | Marketing and Web Technologies |
| Meltwater | Media pitching/press releases | Staff | Marketing and Web Technologies |
| Form Assembly | Online forms | Staff | Marketing and Web Technologies |
| Flow Paper | PDF flipbooks for websites | Faculty/Staff | Marketing and Web Technologies |
| R Studio | Analytical Software, Math, Data Science | Faculty/Staff | Research Technologies |
| Anaconda | Analytical software, Math, Data Science | Faculty/Staff | Research Technologies |
| IRAP (Info Ed) | Research Administration | Faculty/Staff | Research Technologies |
| Club Automation | Rec center management | Staff | Student Affairs |
| Maxient | Student conduct case management | Staff | Student Affairs |
Fullscreen not available on IOS
Blaze and the Fractured Jewel
You wouldn't believe it! Data, our crown jewel at UAB, has shattered into five pieces. Want to be a hero and help us piece the shards back together? Become a Data Defender and help Blaze rescue the data before it falls into the wrong hands!
