- Contracts* for software, subscriptions, or services (including software maintenance) that include
- Hosting/processing/transmission of UAB data external to UAB
- PCI (Payment Card Industry) acceptance/processing of credit card transactions
- Design, creation, maintenance, support, and/or hosting of any website/webpage
- Personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
- Audit language
- Custom software development
- Agreements for products whare a similiar product or standard is already available/supported at UAB
- Hardware purchase with embedded software with any of the above
- *NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor. Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement.
- Don't base fees/costs on FTE numbers as these numbers can change each year;
- No annual escalators;
- Include vendor service level expectations with remedies if they are not met/maintained;
- Include 'piggyback clauses' where the agreement can be used by other institutions in the UA System;
- If the vendor holds/processes any UAB data, make sure the agreement contains a data exit clause that ensures UAB data is returned at no cost to UAB and in a timely manner;
- For agreements with professional services:
- clearly define responsibilities and expectations of each party
- limit travel costs for any on-site work to actual costs and to no more than 15% of the actual professional services you pay
- include language indicating the vendor will follow UAB on-site rules if working on UAB property (see the FORMS LIBRARY SECTION)
- include language indicating the vendor must be aware of and follow UAB's Acceptable Use of Computer policy (see the FORMS LIBRARY SECTION) when connecting devices to the UAB network
- Don't agree to pay for services/products up front. Base payment on milestones or completion and UAB written acceptance;
- In most cases agreements should renew annually upon mutual agreement and with issuance of a UAB PO. Agreements should not renew automatically or where you are required to notify the vendor xx days prior to the renewal date.
- For contracts that IT intiates a standard agreement review template is used to evaluate risk. You can download a copy of that template here for your own use.
- 2048 bit or 4096 bit (in accordance with FIPS 140-2 §4.7.3)
- UAB has contracted with InCommon for TLS certificates for all of uab.edu. UAB systems using PKI should use these InCommon certificates. InCommon certificates can be ordered here.
- Self-signed certificates are not recommended, nor are the use of other Certificate Authorities (CA). If you need to use any of these, contact Enterprise Information Security with a request through AskIT.
- Wild card certificates should not be used. If you need to use a wild card certificate, contact Enterprise Information Security through AskIT.
- TLSv1.2 is modern and provides the safest encryption. The use of this protocol is strongly recommended.
- TLSv1.0 and TLSv1.1 are acceptable. TLSv1.0 should be phased out as soon as possible.
- SSLv2 and SSLv3 are not allowed for TLS encryption at UAB.
- You must use FIPS 140-2 where required by compliance.
- Use AES-256 or AES-128 for symmetric ciphers.
- Use RSA-2048 or RSA-4096 for non-elliptic curve public key cryptography.
- Use Diffie Hellman Ephemeral (DHE) or Elliptic Curve Diffie Hellman Ephemeral (ECDHE) for key exchange with forward screcy.
- Use SHA-2 rather than MD5 or SHA-1 for signatures, etc.
- You should use ciphers that provide greater or equal to 128 bits real security or 3DES.
- You should order ciphers by highest strength first.
- Export (low-strength) ciphers are not allowed.
- You should include ciphers that provide Perfect Forward Encryption.
- Cipher strength selection should prioritize between confidentiality and then performance.
- You should only use Transport Layer Security where it is required to protect information.
- You should not have mixed secure and not secure for Web applications. Use the single mediation model.
- Qualys SSL Labs: SSL/TLS Deployment Best Practices
- Open Web Application Security Project (OWASP): Transport Layer Protection Cheat Sheet
- FIPS 140-2 for Mere Mortals
- Elliptical Curve Cryptography
- Applied Crypto Hardening
- Recommendations for Secure Use of TLS and DTLS
- Tool for Configuring Microsoft IIS TLS Cryptography, NarTac Software
Recommended configuration for Apache 2
Make sure you add to the main 443 server, and there are no overriding statements in virtual hosts.
#SSLHonorCipherOrder not a valid command in Apache 2.0, only use in 2.2 and 2.4 – anything older than Apache 2.0 should be disconnected from the network.
SSLProtocol all -SSLv2 -SSLv3
#gives perfect forward secrecy but saw odd things on www with this, may revisit after older browsers diminish in use.
#SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW
Special thanks to Ed Harris for the recommendations for Apache 2.
The registry data files for Microsoft Windows Server versions 2003, 2008r2 and 2012r2 have been posted to the UAB IT software download site. These files contain registry settings configurations that have been tested and verified to conform to the UAB encryption standard. These files will assist system administrators in configuring their servers to meet that standard.
File MD5 Hashes
- 2003std.reg - E1A7F5FC9AA6B3AEC4B1D9F2ED1EECD8
- 2008r2.reg - 94CCC4AFD6D1E05A687B65EF382E5CFC
- 2012r2.reg - 94CCC4AFD6D1E05A687B65EF382E5CFC
Special thanks to Jim Clark and Patrick Gustin for the significant efforts to build and test these configurations.
- HIGH: Encryption suites with key lengths equal to or larger than 128 bits. Included in this definition is the 3DES (Triple DES (Data Encryption Standard)) encryption suite.
- MEDIUM: Encryption suites with key lengths that are less than 128 bit but not included in those categorized as “export”. Does not include 3DES.
- EXPORT (LOW): Encryption suites with key lengths that are 64 bit or less.
- Rivest, Shamir, and Adleman (RSA): RSA is one of the first practicable public-key cryptosystems and is widely used for secure data transmission.
- Diffie-Hellman (DH): DH is a specific method of securely exchanging cryptographic keys and was the first specific example of public-key cryptography as originally conceptualized by Ralph Merkle.
- Elliptic curve Diffie–Hellman (ECDH): An anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.
- Transport Layer Security (TLS): Cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key.
- AES128, AES256, AES: A specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in 2001. AES is based on the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process. Implementations are available using 128 bit AES or 256 bit AES.
- AESGCM: AES in Galois Counter Mode (GCM): These ciphersuites are only supported in TLS v1.2.
- 3DES: Triple DES is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block.
- DES: Once a predominant symmetric-key algorithm for the encryption of electronic data. It was highly influential in the advancement of modern cryptography in the academic world. Developed in the early 1970s at IBM and based on an earlier design by Horst Feistel. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small.
- RC4: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security. While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP.RC2
- Pre-shared keys (PSK): Pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms.
- Certificate Authority (CA): A certificate authority or certification authority is an entity that issues digital certificates.
- Secure Sockets Layer (SSL): A protocol developed by Netscape for transmitting private documents via the Internet. SSL version 3.0 was released in 1996. As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.
Summer 2015 | Issue No. 8
March 2015 | Issue No. 6
February 2015 | Issue No. 5
January 2015 | Issue No. 4
December 2014 | Issue No. 3
November 2014 | Issue No. 2
October 2014 | Issue No. 1
UAB has contracted with DriveSavers to provide data recovery services for the UAB
community. DriveSavers is the only data recovery company in the industry that undergoes
annual SAS 70 Type II Audit Reports and is HIPAA compliant, offering the highest level of data
security available. DriveSavers is also compliant with FAR 52.224-2 (Privacy Act), ISO 17799,
Sarbanes-Oxley Act of 2002 (SOX), the US government Data-At-Rest (DAR) mandate, the
Gramm-Leach-Bliley Act (GLBA) and the new regulation by National Institute of Standards and
Technology, NIST SP 800.34 (Rev. 1).
To view DriveSavers certifications, and learn more about Data Recovery Industry standards,
Run Spinrite to analyze your hard disk in order to identify and attempt to correct any disk errors prior to encryption.
*While Windows XP is shown in the following video, the steps can be used for both Windows XP or Windows Vista platforms.
Flaws are found in application software on a regular basis and the manufacturer often corrects these issues by releasing patches or new versions. To determine whether your system is using old versions of software, use Microsoft Baseline Security Analyzer.
*While Windows Vista is shown in the following video, the steps can be used for both Windows XP or Windows Vista platforms.
Do you use your laptop for UAB business?
Do you provide your own tech support?
Has your laptop been encrypted?
If you answered yes to the first two questions but have not encrypted your laptop, you are encouraged to take advantage of the options listed below to protect UAB data by encrypting your laptop.
HSIS Customers: Please contact the Health System Information Services (HSIS) Help Desk at firstname.lastname@example.org or 205-934-8888 for assistance with laptop encryption.
AskIT Customers: Please choose from the options listed below or contact the AskIT help desk at 205-996-5555 for assistance with laptop encryption.
Laptop Encryption Options:
Option 1 - Option 1 - Let Us Do It For You-!
This option requires that the laptop is dropped off at one of our locations for at least 1-2 business days. The following procedures will be performed on your machine:
- Backing up your data
- Verifying or installing antivirus software
- Updating antivirus definitions and scanning for viruses
- Scanning with hardware diagnostic software
- Installing operating system updates
- Defragmenting the hard drive
- Encrypting your laptop
Option 2 - Do It Yourself: "How-To" Documentation & Training Videos
This is a do it yourself option. Please refer to the documentation and training videos on the following topics for information on how to configure and encrypt laptop computers.
- How to create a strong password
- How to configure your laptop
- How to scan for missing patches
- How to update applications
- How to install OS updates
- How to install antivirus
- How to backup your machine
- How to defragment your hard drive
- How to run SpinRite hardware diagnostic software
- How to encrypt your laptop
Please feel free to contact us with any questions through our help desk, AskIT, by email or phone at 205-996-5555.
PGP Whole Disk Encryption software (or FileVault for Macs) is designed to provide an additional layer of security for your data. Encryption is required for laptops used for UAB Business, and it is highly recommended for desktops in theft-prone areas. PGP software essentially "locks down" your hard drive, making the data accessible only to you and those you authorize. The disk encryption, in conjunction with logon and screensaver passwords, protects UAB data if the computer is lost or stolen.
- Encrypting with Mac OS X FileVault 10.7 (Lion)
- Encrypting with Mac OS X FileVault 10.6 or Below
- PGP Whole Disk Encryption: Windows Installation Instructions
- PGP Whole Disk Encryption: Mac OS Installation Instructions
- Linux Encrypted File System: Fedora
- Linux Encrypted File System: Ubuntu
- Linux Encrypted File System: Ubuntu (advanced configuration)
- Microsoft BitLocker on Windows 8
Additional PGP Documentation:
- PGP Client License Troubleshooting
- Adding and Removing Users in PGP Desktop
- Portable Drives
- Virtual Disks
- Zip Encrypted Archives
- Reporting Issues
- Drive Recovery
- PGP Guide for Campus Administrators
- Windows XP Preinstallation Environment (PE) for PGP Whole Disk Encryption
- Devices Incompatible with PGP
UAB IT provides Antivirus for use by everyone at UAB including your personal home systems. To download Microsoft Forefront Anti-virus software(Windows) or Sophos Anti-virus (OS X), please click the link below and select from the available antivirus titles.
Please Note: There is a known incompatibility with Sophos and FileVault on Mac OS X 10.5.x. If you are using FileVault please do not install Sophos Antivirus at this time.