December 19, 2016
Related Policies, Procedures, and Resources
The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security.
2.0 Scope and Applicability
All UAB data stored, processed, or transmitted must be classified in accordance with this requirement. Based on classification; users are required to implement appropriate security controls.
3.1 Classifying data
All UAB data must be classified into one of the three following categories.
|Public Data: Data that may be disclosed to the general public without harm.
|Examples: public phone directory, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters, etc.
|Sensitive Data: Data that should be kept confidential. Access to these data shall require authorization and legitimate need-to-know. Privacy may be required by law or contract.
|Examples: FERPA, budgetary plans, internal communications, proprietary business plans, patent pending information, export controls information and data protected by law.
|Restricted/PHI Data: Sensitive Data that is highly confidential in nature, carries significant risk from unauthorized access, or uninterrupted accessibility is critical to UAB operation. Privacy and Security controls are typically required by law or contract.
|Examples: HIPAA PHI, Social Security numbers, credit card numbers (PCI DSS), GLBA data, Export Controlled data, FISMA regulated data, log-in credentials, and information protected by non-disclosure agreements.
|Note regarding Classification of Research Data: The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Click here for more information.
Abbreviations used: FERPA (Family Educational Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), PHI (protected health information), PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), and FISMA (Federal Information Security Management Act.)