University of Alabama at Birmingham
December 19, 2016 Related Policies, Procedures, and Resources 1.0 Overview
The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security. 2.0 Objective / Purpose
All UAB data stored, processed, or transmitted must be classified in accordance with this requirement. Based on classification; users are required to implement appropriate security controls. 3.0 Data Classification Requirements
To classify data in terms of its need for protection, use section 3.1 of this standard. To classify data in terms of its availability needs, use section 3.2 of this standard. 3.1 Classifying Data According to Confidentiality and Integrity Needs
3.2 Classifying Data According to Availability Needs
||Public Data: Data that may be disclosed to the general public without harm.
||Examples: public phone directory, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters, etc.
||Sensitive Data: Data that should be kept confidential. Access to these data shall require authorization and legitimate need-to-know. Privacy may be required by Law or Contract.
||Examples: FERPA, budgetary plans, internal communications, proprietary business plans, patent pending information, export controls information and data protected by law.
||Restricted/PHI Data: Sensitive Data that is highly-confidential in nature, and carries significant risk from unauthorized access. Privacy and Security controls are typically required by Law or Contract.
||Examples: Social Security Numbers, credit card numbers (PCI), personally identifiable information, protected health information, GLBA data, Export Controlled data, FISMA regulated data, log-in credentials, and information protected by non-disclosure agreements.
|Note regarding Classification of Research Data: The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Click here for more information.
Different types of data have varying levels of importance with regard to availability or reliability of access and use. The following categories may be useful in determining availability needs:
4.0 Responsibilities for Protecting Institutional Data
|Supportive Data - Supportive data is useful in day-to-day operations, but is not critical to UAB’s mission or core functions.
|Examples: course materials, meeting minutes, workstation images, etc.
|High-priority Data - Availability of data is necessary for departmental function. Destruction or temporary loss of data may have an adverse effect on business unit, college or departmental mission, but would not affect organization-wide function.
|Examples: some financial data, HR data, etc.
|Critical Data - Critical data has the highest need for availability. If the information is not available due to system downtime, modification, destruction, etc., the University's functions and mission would be impacted. Availability of this information must be rigorously protected.
|Characteristics of Critical Data
Mission Risk: Short-term or prolonged loss of availability could prevent UAB from accomplishing its core functions or mission.
Health and Safety Risk: Loss of availability may create health or safety risk for individuals. (e.g. emergency notification data, PHI, etc.).
Compliance Risk: Availability is mandated by law (HIPAA, GLBA) or by contract.
Reputation Risk: Loss of data will cause significant damage to UAB’s reputation.
|Examples: Emergency notification/contact data, Health care data, Student records.
All with access to UAB data are required to protect these data appropriately. There are different mandatory minimum requirements for University and Health System data.
Minimum security requirements for University Data may be found at Protection Requirements Based on Classification
Minimum security requirements for Health System data may be found at UAB HIPAA Policies
. 4.1 Specific Roles and Responsibilities for Protecting Institutional Data Data Stewards
have administrative control and are officially accountable for a specific information asset. Data Stewards are:
- responsible for assigning an appropriate classification to the information;
- accountable for who has access to information assets; and
- ensuring compliance with policies and regulatory requirements related to the information.
Examples: VP of Financial Affairs & Administration - financial and HR data; VP of Research & Economic Development - research administration data; Deans and Department Chairs and data from their respective academic area; Hospital Managers or Directors/VPs and data from their respective hospital/clinical area. Data Custodians
safeguard the data on behalf of the Data Steward.
UAB’s central Information Technology (IT) units shall be responsible for protecting all Institutional Data maintained/stored in the institutional information systems.
UAB Health Services Information Services (HSIS) shall be responsible for protecting all Health System Data maintained/stored in the institutional information systems. UAB Information Security
Members of the UAB and UABHS Information Security teams are responsible for developing and implementing an information security program as well as the supporting data security and protection policies, standards and procedures. Departmental Security Administrators (DSA)
Each unit or department senior manager will designate at least one DSA who will act as a liaison to the UAB information Security Team. DSAs oversee information security responsibilities for the departments, including assisting with security awareness and security incident response.
For UAB covered entities, UAB Health System has established the Entity Security Coordinator
who will act as a liaison to the UABHS Information Security Team and the Entity Privacy Coordinator
who will act as a liaison to the UABHS Privacy Officer. System Administrators
System Administrators are individuals within the central IT/HSIS or school/department units with day-to-day responsibility for maintaining information systems. They are responsible for following all data security protection procedures and practices
. Data Users
Data Users are individuals authorized to access UAB data and are responsible for protecting the information assets on a daily basis through adherence to UAB policies. 5.0 Enforcement
Each University / University Health System department or unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance.
The UAB VP of Information Technology Office and UABHS CIO of Information Systems are responsible for enforcing this data classification requirement.
Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation. 6.0 Exceptions
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, complete the Information Security Exception Request Form
. 7.0 Definitions
UAB has adopted the customary Information Security Terms definitions within the NISTIR 7298 Revision 2 Glossary of Key Information Security Terms
UAB Health System has adopted the definitions set forth in the HIPAA regulations at 45 CFR Parts 160
, and 164