The Data Classification Requirement is a standard effort to identify and classify UAB’s data as restricted/PHI, sensitive or public.
There are three classes of data as defined in the standard:
- Public Data is available to the general public and if disclosed will not cause harm to UAB.
- Sensitive data is not readily accessible or available to the general public and may require authentication for access.
- Restricted/PHI data is only available to authorized users with permission of the Data Owner for a specific purpose. Usually regulated by law or contractual obligation.
There are three primary reasons to classify data:
- Security - It is much more difficult to secure data when you don’t know the appropriate level of security to apply. In efforts to secure the assets of UAB, the data classification will go a long way to simplify this effort.
- Simplicity – There are a myriad of compliance requirements, rules and laws that apply to various types of data. Data Classification allows us to simplify protection requirements and reduce complexity of security rules.
- Cost - Knowing what types of data we have helps to know how they are protected. This allows UAB to avoid applying overly constrictive security controls to data that doesn’t need it.
UAB data users are responsible for following use and handling policies for the UAB data and UAB systems as well as applicable rules and laws. Data users should not store or process sensitive data on their desktop or laptop computers without approval and appropriate security safeguards in place. Report breaches to the information security office and complete annual security awareness training.
UAB data stewards are responsible for the policy and practice decisions regarding their data and for classifying the sensitivity of your data. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. Communicate data protection requirements to the Data Custodians and/or System Administrators and define requirements for access to the data. Data owners are also to complete annual role-based training.
+ - I use DropBox or other personal cloud services for my work. Am I in violation of this standard? Click to collapse
In most cases, Yes. UAB must have a contract with the cloud provider to ensure the data is protected appropriately. Personal services do not provide the appropriate level of protection for Institutional data. Do not store sensitive information on cloud storage services that UAB does not have an institutional-level contract approved for storing sensitive or restricted data.
- Public – UAB Box or UAB Microsoft OneDrive
- Sensitive – UAB Box
- Restricted - UAB Box – Subject to any applicable laws. PHI and credit card information is prohibited.
The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration effect the classification of research data. As such, certain unpublished research data may be classified as private or sensitive until such time the research is published. Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data. Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
+ - I have a need to travel with Restricted university data. How can I do this in a secure way? Click to collapse
First you must request that an exception be granted to allow Restricted data must be encrypted if stored on a mobile or remote device.
+ - What are my responsibilities as a Data User with regard to data classification? Click to collapse
- Reading and complying with UAB IT policies.
- Reporting breaches of IT security, actual or suspected, to the Information Security Office.
- Taking reasonable and prudent steps to protect the security of IT systems and data to which they have access.
- Complete annual IT Security Awareness Training
+ - What are my responsibilities as a System Administrator with regard to data classification? Click to collapse
- Implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian.
- Day-to-day administration of IT systems, and implements security controls and other requirements of the University’s information security program.
- Completing annual, role-based training.
- Each system should have at least two System Administrators (one primary, one secondary).
+ - What are my responsibilities as a Data Custodian with regard to data classification? Click to collapse
Protecting the data in their possession from unauthorized access, alteration, destruction, or usage.
Establishing, monitoring, and operating IT systems in a manner consistent with Radford University Information Security policies and standards.
Providing Data Owners with reports, when necessary and applicable.
Completing annual role-based training.
+ - What are my responsibilities as a Data Steward with regard to data classification? Click to collapse
- Responsible for the policy and practice decisions regarding data.
- Evaluate and classify sensitivity of the data.
- Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
- Communicate data protection requirements to the Data Custodians and/or System Administrators.
- Define requirements for approving access to the data.
- Define requirements for regular auditing and removal of access to the data.
- Complete annual role-based training.
The UAB Data Classification scheme and protection requirements only apply to UAB institutional data. Use due care when handling your own personal data.