Specific Roles and Responsibilities for Protecting and Maintaining Sensitive Data
The following information is provided for members of the UAB community as a guide in understanding their roles and responsibilities in the protection of sensitive UAB data:
UAB’s central Information Technology (IT) units are responsible for protecting all sensitive information maintained/stored in the institutional information systems. While it is not recommended that sensitive information be stored outside centrally maintained servers and systems, any UAB department or unit that retains sensitive UAB data on departmental/unit servers, personal computers (desk and laptop), personal digital assistants (PDAs), thumbdrives, or computer disks also will be responsible for protecting and securing those data. In the case of information stored in department/unit systems, the department/unit head is charged with responsibility for data protection and designated as the data custodian.
A minimal list of the Data Custodian’s responsibilities may be found on the UAB IT web site http://www.uab.edu/it/datasecurity.
System Administrators are individuals within the central IT units or school/department units with day-to-day responsibility for maintaining information systems. They are responsible for following all data security and protection procedures and practices. (See IT Security Practices at http://www.uab.edu/it/policies/UAB_IT_Security_Practices.doc.) System Administrators are further responsible for reporting any data security breaches or compromises to their immediate supervisor. As required by the Data Custodian or department head, they perform risk assessments and data backups. They also provide secure storage, execute disaster recovery plans, and provide system documentation. System Administrators successfully complete specific security and other IT training as required.
Data Users are individuals within a department/unit who access/use UAB information systems and data. The UAB data users are responsible for following the acceptable use policies for the specific systems in use as well as all other applicable policies. Data users should not reuse or save sensitive data on their desktop or laptop computers without approval and appropriate security safeguards in place. Data users are further charged with reporting to their supervisors or managers any activities that could compromise the protection of UAB data.
Incident Reporting and Response to Relative Data Security
Any breach or compromise of UAB data must be reported immediately, especially when it involves sensitive data. Anyone who becomes aware of a breach or compromise should report the incident to his or her immediate supervisor or manager. Department/unit heads are responsible for reporting breaches to the Data Security Office in the Office of the Vice President for Information Technology. Specific procedures for reporting a suspected or actual breach/compromise of data are maintained on the Data Security web site at http://www.uab.edu/it/datasecurity/index.html. Upon receiving the report, the Data Security Office will be responsible for conducting or coordinating the investigation, making or assessing a recommendation for corrective action, reporting the incident to the Incident Response Committee or other administrative units as needed, and maintaining documentation of the incident.
Risk Assessment and Risk Management
Department/unit heads are responsible for assessing (in conjunction with UAB Information Technology) the business processes and technical risks associated with implementing any planned or proposed electronic information system or data collection system. Such risk assessments are required when sensitive data are involved and must be updated periodically. Risk assessments must identify specific procedures to manage risks. Approval for the dissemination of sensitive information will be in accordance with the UAB Information Disclosure and Confidentiality policy.
Other Data Security Policies at UAB
Other data security policies implemented at UAB (campus-wide or locally by/for a specific department, school, or system) may be more restrictive than this UAB-wide policy but may not be less restrictive.
Data Custodians located both centrally and within departments/units are responsible for implementation of this policy within their areas of responsibility. The Vice President for Information Technology is responsible for overall procedures related to the implementation of this policy and for providing implementation assistance to Data Custodians.
A violation of this policy by employees, including faculty, shall result in disciplinary action, up to and including discharge, according to established UAB disciplinary procedures. A violation of this policy by a student constitutes nonacademic misconduct, and the student will be subject to established disciplinary action.
See also the following: