Classification System
UAB IT worked closely with information security officials from UAB Health System to develop the three level data classification system for all data. This system establishes roles and responsibilities for those individuals and groups who will safeguard and use UAB data. Many of the policies and guidelines established to support this classification system are required by federal law and UAB must remain compliant.
What’s your data?
Public Data
Public data is data that can be disclosed to the general public without harm.
Examples of public data include phone directory information, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters and other similar information.
Sensitive Data
Sensitive data is data that should be kept confidential, with access requiring authorization or legitimate need-to-know involvement.
Examples of sensitive data include FERPA information, budgetary plans, proprietary business plans, patent pending information, export controls information and data protected by law.
Restricted/PHI data
Restricted/PHI data is sensitive data that is highly confidential in nature, and carries significant risk from unauthorized access. Privacy and security controls are typically required by law or contract for this data.
Examples include Social Security numbers, credit card numbers (PCI), personally identified information, protected health information, GLBA data, export controlled data, FISMA regulated data, login credentials, and information protected by non-disclosure agreements. Fill out the Risk Assessment form for more information.
Can you store or share data?
See the table below for guidance on how you can store and transmit data. Electronic storage and emailing of credit card numbers is never allowed.
| Public | Sensitive | Restricted/PHI | |
|---|---|---|---|
| UABFile Share | |||
| Desktop C Drive | password required; encryption optional. |
||
| Laptop C Drive | password required; encryption optional. |
password/pin and encryption required. |
|
| UAB Box | Risk assessment required. |
||
| Personal accounts | |||
| Thumb Drive | encryption required. |
||
| Mobile Device | device password/pin and encryption required. |
device password/pin and encryption required. |
|
| UAB Email | only to uab.edu or uabmc.edu email addresses. |
||
| UABMC Email | only to uab.edu or uabmc.edu email addresses. |
requires third-party encryption tool to send externally. |
What’s your role & responsibility?
Data stewards
Data stewards have administrative control and are officially accountable for a specific information set.
Data custodians
Data custodians safeguard the data on behalf of the data steward. While data stewards are ultimately responsible for the security of data, data custodians ensure the security controls are in place.
UAB Information Security
Members of the UAB IT and UAB Health System information security teams are responsible for developing and implementing the information security program, as well as the supporting data security and protection policies and procedures.
Information Security Liaisons
Each unit or department senior manager will choose one ISL to act as a liaison with the UAB Information Security team. ISLs oversee information security responsibilities for the departments, including security awareness and security incident response.
System administrators
System administrators in UAB IT, HSIS and school/department units who are responsible for day-to-day maintenance of information systems are responsible for following data security protection procedures and practices.
Data users
Data users refers to individuals authorized to access UAB data and who are responsible for protecting information assets on a daily basis through adherence to UAB policies.