Thursday, 10 September 2015 15:32

Encryption guidance

Data that are supported by federal funding must be protected by encryption that meets the federal encryption standard: FIPS 140-2.

If users are unsure about the sharing of UAB data, they can contact UAB IT's Enterprise Information Security unit for help determining the right protection to use.

7-Zip is open source software used to compress or zip files secured with encryption. When you send or transfer files that contain Personal Identifiable Information (PII) or other confidential and sensitive data the files must be encrypted to ensure they are protected from unauthorized disclosure.

7-Zip, like WinZip, creates a container called an archive that holds the files to be protected. That archive can be encrypted and protected with a password. 7-Zip is free software that can create Zip files that can be opened with WinZip or other similar programs.

To obtain a copy of 7-Zip please see and select the Download link.

Once the software is installed please follow these steps to encrypt a file or folder.

Step 1: Right click on the file / folder to be encrypted.

Step 2: Select “7-Zip” then “Add to archive…”

Step 3: In the Add to Archive window change the name of the archive you wish to create.

Step 4: Change the Archive format to “Zip."

Step 5: Change the Encryption Method to “AES-256."

There is a trade-off between using AES-256 and ZipCrypto. AES-256 is proven much more secure than ZipCrypto, but if you select AES-256 the recipient of the zip file may have to install 7-zip or another zip program to read the file contents. Selecting ZipCrypto may allow users to open the zip file in Windows without a zip program, but it does not provide adequate protection against attackers with modern cracking tools.

It is strongly recommended to use AES-256 to protect sensitive and confidential data.

Step 6: Enter a Password. Use a strong password with at least 8 characters and containing upper and lower letters and a minimum of one number.

Step 7: Select “OK” to create the encrypted archive file. The new archive file will be located in the same folder as the original.

Best security practices recommend that you do not email the password with the Zip file as it could be intercepted in transit. It is better to call the recipient of the Zip file and convey the password over the phone.

The UAB Enterprise Information Security Department (EISD) is sponsoring a National CyberSecurity Awareness Month Video Contest for currently enrolled undergraduate students.

The top three winning submissions will be announced via email and signage

There is no entry fee. The deadline for submission is noon, Friday, Oct. 23, 2015.

ELIGIBILITY: Prizes in this contest will be awarded to the best video submitted by an individual or group of currently enrolled undergraduate students. Participating students must be at least 19 years of age by September 5, 2015.

TO ENTER: During the contest period, sign up for a free YouTube account and follow the online instructions for registration.  The video’s format and size must follow YouTube’s video upload guidelines.

YouTube is not a sponsor of this contest.  Lastly the Contest Entry form must be read, completely filled out and submitted before the submission deadline.  Uploaded entries without a submitted entry form will be disqualified.  Groups cannot have more than four total members.

Your submission must:

  • Creatively demonstrate your perceived understanding of one of the following topic areas
    • Keep a Clean Machine
    • Protect Your Personal Information
    • Connect with Care
    • Be Web Wise
    • Be a Good Online Citizen
  • Be 1 minute or less in duration without credits
  • Must be an original and unique recording created by the submitters entered on the submitter form
  • Must be recorded during the submission period (September 5 – October 9).
  • Must comply with all of these submission guidelines and rules as stated in this document

SUBMISSION GUIDELINES: Submissions cannot misrepresent, defame, or have disparaging remarks about the University of Alabama at Birmingham its administration, staff, employees, faculty, students, services or products.  The EISD reserves the right to and will monitor or screen submissions prior to posting them.  By providing a submission, the submitter grants EISD an exclusive, perpetual, transferable license to copy, publish, broadcast, display, distribute, use, edit, translate, alter, combine with other material, reuse and adapt any or all portions of the submissions in any way and for any purpose whatsoever, at any time now or in the future.  Submissions that are not in accordance with the guidelines as stated herein or are not received by the contest submission deadline will be disqualified.  Submissions cannot (1) be sexually explicit or suggestive, violent or derogatory of any ethnic, racial, gender, religious, professional or age group, profane or pornographic, contain nudity or any materially dangerous activity; (2) promote alcohol, illegal drugs, tobacco, firearms/weapons (or the use of any of the foregoing), any activities that may appear unsafe or dangerous, or any particular political agenda or message; (3) promote illegal behavior; (4) promote violence; (5) contain trademarks, logos or trade dress owned by others or advertise or promote any brand or product of any kind (other than the UAB trademarks, logos, trade dress, brands or products); (6) contain any personal identification, such as license plate numbers, personal names, email addresses or street addresses without permission; (7) cannot be in violation of any of the local and national laws in the country of origin.

By submitting a submission you warrant and represent that it: (a) is your or your teams original work, (b) has not been previously published, (c) has not received previous awards, (d) does not infringe upon the copyrights, trademarks, rights of privacy, publicity or other intellectual property or other rights of any person or entity; (e) that you/your team have obtained permission from a person who is used in the submission whose name, likeness or voice is used in the submission.

CONTEST JUDGING: During the contest judging period, submissions will be judged on the following criteria (1) 60 percent – delivery of topic; (2) 40 percent – originality & creativity.  The top three finalists will be determined by the highest cumulative scores awarded by the judges.  Tied submissions will be broken by the highest score awarded in the first topic criteria.  If the tie continues, then it will be broken by the highest score awarded in the second criteria.

PRIZE DETAILS: The first place prize of $250 will be awarded to the individual entry that receives the most votes.  Additional prizes may be awarded to the second and third place entries.

Thursday, 16 July 2015 12:53

Cyber Security Initiative

Protecting UAB's digital assets is one of our core responsibilities. As part of an initiative to protect UAB's assets and inventory servers and workstations, UAB IT is making Microsoft SCCM available at no cost to all areas of campus. 

Having all of the asset information in and managed by a single system is critical to maintaining a secure computing environment.

Friday, 20 February 2015 10:40

Microsoft Outlook mobile app

The Microsoft Outlook mobile app will be blocked from accessing UAB mailboxes as of noon Thursday, Feb. 26, 2015, because of security concerns. Individual users of the app will be notified.
UAB IT’s Enterprise Information Security team has determined that the Microsoft Outlook mobile app violates UAB’s Password/Passphrase Standard because it caches BlazerID passwords in a cloud service — posing a serious security risk.
UAB IT will be blocking the Microsoft Outlook mobile app from accessing UAB mailboxes, so you won’t be able to receive email through the app. The Outlook mobile app is essentially a rebranded app from a company called Acompli, which Microsoft purchased recently. Many universities and other entities are also taking the step to block the Outlook mobile app.
Native mail applications on iOS and Android are still safe for use.
  • Discontinue using the Outlook Mobile App and uninstall it from your device.
  • Change your BlazerID Password
  • Configure the standard mobile app for use with Exchange (employees) or Office 365 (students). 
{slide=What does "caching in the cloud" mean?}The Outlook mobile app captures each user’s BlazerID and password and stores them in a cloud service. UAB has no contract with — nor a security assessment from —the service, so UAB IT has no way of guaranteeing the safety of those BlazerIDs and passwords.
An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines pageUAB’s password/passphrase standard states that applications should not cache BlazerID passwords/passphrases without an approved exception.
If you need help setting up a new mail app on your phone or mobile device, please contact or phone 205-996-5555.
Tuesday, 28 October 2014 13:31

IT Risk Bulletins

Each month, the chief information security officers for UA, UAB, UAB Medicine and UAHuntsville publish a monthly electronic newsletter to help users avoid IT errors.

Summer 2015 | Issue No. 8

March 2015 | Issue No. 6

February 2015 | Issue No. 5

January 2015 | Issue No. 4

December 2014 | Issue No. 3

November 2014 | Issue No. 2

October 2014 | Issue No. 1
Saturday, 27 June 2015 09:43

IT Related Contracts & Agreements

As part of the University's contract review process, UAB IT is responsible forcontract reviewing any University contract that includes an IT or IT related component prior to such contract being executed.  The information below, is provided to help facilitate the speedy processing of contracts once they are routed to IT for review. Questions on the process or requirements should be directed to UAB IT
  • Contracts* for software, subscriptions, or services (including software maintenance) that include  
    • Hosting/processing/transmission of UAB data external to UAB
    • PCI (Payment Card Industry) acceptance/processing of credit card transactions
    • Design, creation, maintenance, support, and/or hosting of any website/webpage
    • Personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
    • Audit language
    • Custom software development
    • Agreements for products whare a similiar product or standard is already available/supported at UAB
    • Hardware purchase with embedded software with any of the above
  • *NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor.  Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement.

  • The primary goal is to minimize risk to you and UAB.  New agreements are normally subject to a more detailed review than renewal agreements. IT will review the checklist (see the FORMS section below) that you submit with your agreement for a quick determination of what review may be needed.
    • For new agreements:
      •  As necessary:
        • Confidentiality and Information Security provisions are reviewed to ensure appropriate confidentiality language is present, provisions to follow UAB on-site rules are present (if applicable), and the the vendor performs background checks on their employees. For agreemnts that include HIPAA or PHI a Business Associate Agreement (BAA) will also be required.  The BAA is handled by the UAB Legal and/or Privacy office and not by UAB IT.
        • For agreements where the vendor is hosting/processing/or transmitting UAB information additional language is needed: appropriate vendor controls are in place to protect UAB's data and that such controls are audited appropriately; that provisions are included for the return of UAB data at the end of the agreement; and that the vendor will notify UAB in the event of any security event involving UAB data. If the vendor is processing payment transactions language supporting the PCI (payment card industry) standards are required.
        • Indemnification and Liability provisions are reviewed to ensure that the vendor indemnifies UAB from any claims that their product breaches any copyright, trademark, or patents and that they will defend any such claim at their expense.  In addition, most vendors limit any claims for any breach to a small dollar amount...IT adds language removing that limitation when the breach is for confidentiality or information security claims.
        • Web/website development agreements are reviewed to ensure the vendor is aware of and will follow UAB branding requirements, security standards, and 508 compliance requirments. 
        • Audit language is reviewed and modified if needed (vendor's right to come on site at-will to audit);
        • Language is added that the "Written Agreement Governs". This is to prevent a conflict when a 'click' agreement may have to be accepted by a UAB employee to actually download, run, or maintain the product.
      • IT will aslo look to see if a similar service/product is already in place at UAB. If so, IT will work with the requesting department to understand and document the justification/business case for going outside the standard service/product. 
    • For renewals:
      • If the renewal inidicates it is governed by an existing agreement and that existing agreement was reviewed by IT initially, then the only IT review is to ensure no changes to any language are being requested by the vendor and that the renewal is consistent with the underlying agreement.  
      • If the renewal is for an agreement that was not reviewed by IT initially, then IT will need to review the underlying agreement and work with the department on what options may be available to make modifications based on the criteria above for new agreements.  Modifications to existing agreements may take more time and may ultimately result in modifications not being possible...potentially increasing the risk to UAB. 
    • Language to cover all of the items above are is provided in the applicable IT Addendum (see the FORMS LIBRARY section).  The addendum can be printed and submitted to the vendor for signagure prior to routing that agreement for signature at UAB. This will greatly speed up the review process in IT. 

  • Complete the IT Checklist and attach it to your contract when routing (see the FORMS LIBRARY section);
  • If any of the items 'checked' on the list indicate an IT addendum is needed, go ahead and send the addendum to the vendor for signature prior to routing for UAB review/signature (see the FORMS LIBRARY section).  
  • UAB Contracts/Procurement also require a generic addendum be added in most cases. If you send the vendor an IT addendum, also include the UAB addendum. (See the FORMS LIBRARY section).
  • Provide any backup information such as master agreements, statements of work, etc.
  • Submit agreements that are 'execuatable'...they have signature lines for both parties and are not simply printed off of a web site.

Below are some items that should be considered when negotiating any agreement, not just IT related agreements. 
  • Don't base fees/costs on FTE numbers as these numbers can change each year;
  • No annual escalators; 
  • Include vendor service level expectations with remedies if they are not met/maintained;
  • Include 'piggyback clauses' where the agreement can be used by other institutions in the UA System;
  • If the vendor holds/processes any UAB data, make sure the agreement contains a data exit clause that ensures UAB data is returned at no cost to UAB and in a timely manner;
  • For agreements with professional services:
    • clearly define responsibilities and expectations of each party
    • limit travel costs for any on-site work to actual costs and to no more than 15% of the actual professional services you pay
    • include language indicating the vendor will follow UAB on-site rules if working on UAB property (see the FORMS LIBRARY SECTION)
    • include language indicating the vendor must be aware of and follow UAB's Acceptable Use of Computer policy (see the FORMS LIBRARY SECTION) when connecting devices to the UAB network
    • Don't agree to pay for services/products up front.  Base payment on milestones or completion and UAB written acceptance;
  • In most cases agreements should renew annually upon mutual agreement and with issuance of a UAB PO.  Agreements should not renew automatically or where you are required to notify the vendor xx days prior to the renewal date. 
  • For contracts that IT intiates a standard agreement review template is used to evaluate risk.  You can download a copy of that template here for your own use. 

  • IT Routing Checklist - should be completed and attached to the routing packet. This checklist should help you determine which (if any) IT Addendum may be required.
  • The UAB Information Technology Addendums cover additional confidentiality, information security, and liability language to mitigate any issues related to the items/concerns above. Portions of the IT Addendum may be applicable to only certain agreements and that applicability is detailed in the various sections of the addendum.  Any changes to the IT addendum must be reviewed and approved by UAB IT. 
  • UAB Acceptable Use of Computer Resources policy
  • Business Justification/Exception Form - COMING SOON (for use when you are reqesting an exception to purchase a non-standard or similar product/service)
  • General UAB Addendum (found on the Financial Affairs contract website) - covers information related to State, University, and Legal issues/clarifications.  Any changes to the UAB addendum must be approved by University Contracts.
  • Business Associate Agreement (BAA) ( found on the UAB HIPAA website) - For agreements that include HIPAA (health related information). 

Tuesday, 02 October 2012 13:24

Data/Drive Recovery Services

UAB has contracted with DriveSavers to provide data recovery services for the UAB
community. DriveSavers is the only data recovery company in the industry that undergoes
annual SAS 70 Type II Audit Reports and is HIPAA compliant, offering the highest level of data
security available. DriveSavers is also compliant with FAR 52.224-2 (Privacy Act), ISO 17799,
Sarbanes-Oxley Act of 2002 (SOX), the US government Data-At-Rest (DAR) mandate, the
Gramm-Leach-Bliley Act (GLBA) and the new regulation by National Institute of Standards and
Technology, NIST SP 800.34 (Rev. 1).

To view DriveSavers certifications, and learn more about Data Recovery Industry standards,

Order Data Recovery Services click & follow instructions.

Report an Incident Now 

  1. Isolate the device

    Make sure the system is disconnected from the network. This is to protect UAB from any additional impact from the incident.

  2. Determine the affected data.

    Confirm whether or not sensitive data was housed on the compromised device. This includes employee, student, patient, or research data. Determine if any sensitive data was inappropriately accessed. If so, immediately escalate to both your local management and the UAB Data Security ( or call 205-975-0842).

    If sensitive data is at risk, do not perform additional activity until you have spoken with Data Security.

  3. Perform Root Cause Analysis

    Establish the reason that the system was exploited.  Ask yourself these questions:

    • Did an end user install something harmful?
    • Was it caused by a weak password?
    • Was the system missing a patch?
  4. Remediate the issue

    The best way to restore a compromised machine is frofm a trusted backup or to do a clean installation. Even what used to be routine virus infections have become so advanced that we cannot trust a system once it's been infected.

    Perform password changes for end users and any administrators that may have used the system as well. This includes BlazerIDs and other accounts such as websites that were accessed from the compromised machines. Local Administrator passwords should also be changed.

  5. Reconnect to the network

    Once the system has been properly remediated, UAB Data Security, in conjunction with the HIPAA Security Office, will reconnect the machine to the network. This process can take up to 24 hours after the initial request.

    If you receive a notice saying the machine was compromised, the best way to get reconnected is to reply to that email.

    Otherwise, Please call 205-975-0842 or email for assistance.

Sunday, 01 January 2012 05:00

Antivirus Software

UAB IT provides antivirus software for use by everyone at UAB, including your personal home systems. 

For home use (faculty/staff/students)

Please note: Microsoft Forefront went end-of-life in July 2015.

  • For home use on Windows 7 and Vista, UAB IT recommends Microsoft Security Essentials be installed on your Windows system. If your computer is running Windows 7, Windows Defender only removes Spyware. To get rid of viruses and other malware, including spyware, on Windows 7, Windows and Vista, you should download Microsoft Security Essentials for free. 

  • For home use on Windows 8, Windows Defender replaces Microsoft Security Essentials. You cannot use Microsft Security Essentials with Windows 8 or Windows RT, but you don't need to because Windows Defender already provides built-in protection. Learn more about using Windows Defender on Windows 8.


  • For Mac/(OS x) use Sophos Anti-virus. Please click here and login to select Sophos from the available titles.

For system administrators

UAB IT recommends that system administrators on campus use System Center Endpoint Protection (SCEP) for antivirus and malware protection for campus computers.

System Center Endpoint Protection 2012 has several advantages over the scope of Microsoft Security Essentials:

  • Centralized reporting
  • Centralized monitoring
  • Centralized management
  • Automated network client deployment
  • Advanced Microsoft support is available through professional, premier and/or software assurance programs
  • Management of the host-based Windows Firewall policy via the SCCM policy configuration interface, allowing for configuration of endpoint security as well as allowing or denying connections.

System Center Endpoint Protection 2012 provides a single, integrated platform that reduces overall IT management and operating costs.

Click here for instructions on deploying SCCM.

UAB IT's recommendation is to deploy the SCEP agent within System Center, along with the inventory agent. There are many other features you may turn on or block from use within SCCM.


  • For Mac/(OS x) use Sophos Anti-virus. Please click here and login to select Sophos from the available titles.

Sunday, 01 January 2012 05:00


PGP Whole Disk Encryption software (or FileVault for Macs) is designed to provide an additional layer of security for your data. Encryption is required for laptops used for UAB Business, and it is highly recommended for desktops in theft-prone areas. PGP software essentially "locks down" your hard drive, making the data accessible only to you and those you authorize. The disk encryption, in conjunction with logon and screensaver passwords, protects UAB data if the computer is lost or stolen.

Encryption Methods:


Additional PGP Documentation: