May 9, 2013

Purpose

Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems.  UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy).  UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.

Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.


Scope

The information in this guidance statement applies to all constituents internal to UAB.

Guidance

We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.

Unsupported legacy operating systems:

Windows Family

Windows 95/98/ME

Windows 2000

Windows 2003

Windows XP after April 8, 2014

Mac OS X Family

Mac OS 9.x

OS X 10.5 (Leopard)

OS X 10.4 (Tiger)

OS X 10.3 (Panther)

OS X 10.2 (Jaguar)

Linux Distributions

Ubuntu 11.10 after May 9, 2013

Ubuntu 11.04 and Prior

Ubuntu 10.04.4 LTS

Debian 5.0 (lenny)

Debian 4.0 (etch)

Debian 3.1 (sarge)

Debian 3.0 (woody)

Other Unix OS

AIX prior to 6.1

Solaris prior to 9 (SunOS 5.9)

Questions can be directed to datasecurity@uab.edu or, by calling (205) 975-0842.


References

http://sppublic.ad.uab.edu/policies/pages/LibraryDetail.aspx?pID=38

http://support.microsoft.com/gp/lifeselect

http://www.debian.org/releases/

https://wiki.ubuntu.com/Releases

http://www-01.ibm.com/software/support/aix/lifecycle/index.html

http://www.sun.com/service/eosl/eosl_solaris.html

http://www.computerworld.com/s/article/9229784/Mac_users_left_wondering_if_OS_X_Snow_Leopard_s_retired




Cardholder privacy is important to the University of Alabama at Birmingham (UAB).  To better protect the privacy of cardholder data, UAB provides this privacy statement explaining the security and handling practices of cardholder data in the processing of payment card transactions.  This privacy statement shall be made available at any point where personally identifiable cardholder data may be requested by a UAB PCI Entity (merchant). 

This privacy statement applies to all cardholder data collected by or submitted to a UAB PCI Entity, or on a UAB-maintained website.  UAB PCI Entities and UAB websites will only collect personally identifiable information and cardholder data voluntarily provided by cardholders and customers, and will only use that information for the specific purposes for which it was provided.  UAB will keep this information strictly confidential, and will not disclose, sell, or lease the information to third parties unless required by law, or with the written permission of the cardholder. 

As with most websites used for payment card transaction services, UAB web servers collect web session data used to analyze site trends and gather broad demographic data.  UAB reserves the right to collect certain technical information of customers such as operating system, IP address, web browser software, and URL data through the use of cookies or other technology not linked to personally identifiable information or cardholder data. 

UAB-maintained websites may have links to other third party sites used for payment card transactions.  These third party sites may collect cardholder data and personally identifiable information through the use of forms or cookies, or from the customer's web browser.  Cardholders and customers are strongly encouraged to review the privacy policies of all third party websites outside the control of UAB for their procedures for collecting, utilizing, and disclosing cardholder data. 

UAB has made significant investment in security measures employed to protect cardholder data under its control.  Access to acquired cardholder data and personally identifiable information is limited to only those personnel for whom there is an established business need to access that data. 

For questions, comments, or concerns regarding this privacy statement, or UAB procedures for securely processing, storing, or transmitting cardholder data, please contact the AskIT Help Desk at (205) 996-5555.  UAB reserves the right to amend this privacy statement at any time, and will post this privacy statement and any updates at http://main.uab.edu/Sites/it/policies/payment-card-privacy/.

January 01, 2012

Policy Violations

While it is impossible to anticipate every possible violation, examples are provided below to assist in defining what is considered to be responsible and ethical behavior.  This list is not intended to be exhaustive; in general, any activity which does not directly contribute to UAB's mission may be considered inappropriate use. 

  • Commercial activities, advertising, or any other "for-profit" ventures not specifically approved by the UAB administration.
  • Sustained promotion of any non-UAB activity or venture, profit or non-profit, public or private, personal or commercial, without approval of the UAB administration.
  • Creating, displaying, or transmitting threatening, racist, sexist, or harassing language and/or materials.
  • Creating, displaying, transmitting, or obtaining obscene or pornographic materials or any form of content which violates state and/or federal statutes and/or local standards of decency.
  • Copyright and licensing violations including, but not limited to, providing or obtaining illegal copies of software or digital media (movies, videos, music, etc.) for which legal permission to distribute or possess has not been granted.
  • Vandalism or mischief intended to incapacitate, compromise, or destroy UAB or other facilities, resources, or services.
  • Forgery or attempted forgery of electronic mail or posts to electronic forums or any other act of deceptive labeling of the originator of an electronic communication.
  • Obtaining goods, services, or funds of any form via electronic means by using the name and/or credentials of another person or entity without their consent and knowledge.
  • Deliberately sending un-welcomed or off-topic messages to an individual or discussion forum. This includes continuing to send such messages after being asked by the individual or forum's owner/moderator to stop doing so even though the originator does not consider the material offensive or inappropriate.
  • Transmitting unreasonable quantities of data or messages to persons or groups without their consent or request.
  • Spamming or transmitting unsolicited material to a large number of individual persons and/or discussion lists, newsgroups, or other forums even though the material itself may not otherwise violate these guidelines.
  • Being a continued impediment to other users through mass consumption of computing or network resources after receipt of a request to cease such activity, even if the activity is not otherwise disallowed.
  • Transmitting without permission private information such as grades, medical records, financial data, or any other information that is protected by the Public Records Law or by legislation such as HIPAA, FERPA, etc.
  • Attempts to compromise computer and/or network security measures or providing information/instructions for how to do so.
  • Unauthorized, deliberate action which damages or disrupts a computing system or network, alters its normal performance, or causes it to malfunction. This includes intentional attempts to "crash" network systems or programs.
  • Attempts to gain unauthorized access to other systems on the UAB campus or the Internet.
  • Sharing of secure access credentials, such as passwords or private keys.
  • Attempts to guess, capture, "hack" or decrypt the secure access credentials of other users.
  • Attempts to possess, decrypt, or distribute data to which access has not been authorized.
  • Attempts to elevate system privileges or access without consent.
  • Unauthorized access of internal or external services through the use of stolen, guessed, hacked, copied, or discovered secure access credentials or other private data obtained without consent.
  • The willful or negligent introduction of computer "viruses" or other disruptive/destructive programs into the UAB network or into external networks.

Data Custodians must:

  • Designate appropriate individuals with system administration responsibilities, ensuring that their role in securing the system is defined in their job description, and that they are trained in administration and security of the system.
  • Ensure adherence to UAB guidelines and procedures for protecting data as found in IT Security Practices.
  • Ensure compliance with all stipulations of this and other UAB policies and other legal and regulatory requirements including those related to dissemination of data (UAB's Information Disclosure and Confidentiality Policy) and disposal of computer equipment and systems (UAB's Equipment Accounting standards, and "Guidelines for secure disposal of media containing sensitive information").
  • Ensure that risk assessments are performed (including disaster recovery plans, backup and contingency plans) as required by HIPAA for all PHI. Risk assessment is recommended for all other sensitive or mission critical data.
  • Ensure that documentation of data resources created, used, or stored within their area of control is maintained.
  • Ensure that systems containing sensitive information are physically secured from unauthorized access.
  • Ensure that the department/unit follows procedures to mitigate all identified compromises or identified data security threats.
  • Ensure that actual or suspected data security breaches, especially when involving sensitive data, are reported to the Data Security Office immediately and that any recommended corrective action is implemented.
  • Ensure that non-UAB entities or contracted third party vendors handle data in accordance with UAB policies and procedures.