What is the Data Classification Rule?
The Data Classification Requirement is a standard effort to identify and classify UAB’s data as restricted/PHI, sensitive or public.
What are the different classes of data?
There are three classes of data as defined in the standard:
- Public Data is available to the general public and if disclosed will not cause harm to UAB.
- Sensitive data is not readily accessible or available to the general public and may require authentication for access.
- Restricted/PHI data is only available to authorized users with permission of the Data stewerd for a specific purpose. Usually regulated by law or contractual obligation.
Why do we have to classify our data?
There are three primary reasons to classify data:
- Security - It is much more difficult to secure data when you don’t know the appropriate level of security to apply. In efforts to secure the assets of UAB, the data classification will go a long way to simplify this effort.
- Simplicity – There are a myriad of compliance requirements, rules and laws that apply to various types of data. Data Classification allows us to simplify protection requirements and reduce complexity of security rules.
- Cost - Knowing what types of data we have helps to know how they are protected. This allows UAB to avoid applying overly constrictive security controls to data that doesn’t need it.
I am a Data User. What do I need to do?
UAB data users are responsible for following use and handling policies for the UAB data and UAB systems as well as applicable rules and laws. Data users should not store or process sensitive data on their desktop or laptop computers without approval and appropriate security safeguards in place. Report breaches to the information security office and complete annual security awareness training.
I am a Data Steward. What do I need to do?
UAB Data Stewards are responsible for the policy and practice decisions regarding their data and for classifying the sensitivity of your data. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. Communicate data protection requirements to the Data Custodians and/or System Administrators and define requirements for access to the data. Data Stewards are also to complete annual role-based training. Be sure to refer to the Data Access Policy for further information.
I use DropBox or other personal cloud services for my work. Am I in violation of this standard?
In most cases, Yes. UAB must have a contract with the cloud provider to ensure the data is protected appropriately. Personal services do not provide the appropriate level of protection for Institutional data. Do not store sensitive information on cloud storage services that UAB does not have an institutional-level contract approved for storing sensitive or restricted data.
Which cloud service should I use for each of the classifications?
- Public – UAB Box or UAB Microsoft OneDrive
- Sensitive – UAB Box
- Restricted - UAB Box – Subject to any applicable laws. PHI and credit card information is prohibited.
How do I classify Research Data?
The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration effect the classification of research data. As such, certain unpublished research data may be classified as private or sensitive until such time the research is published. Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data. Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
I have a need to travel with Restricted university data. How can I do this in a secure way?
First, you must request that an exception be granted to allow Restricted data to be carried with you internationally. If approved, the data must be encrypted in stored on a mobile or remote device.
What are my responsibilities as a Data User with regard to data classification?
- Reading and complying with UAB IT policies.
- Reporting breaches of IT security, actual or suspected, to the Information Security Office.
- Taking reasonable and prudent steps to protect the security of IT systems and data to which they have access.
- Complete annual IT Security Awareness Training
What are my responsibilities as a System Administrator with regard to data classification?
- Implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Steward, and/or Data Custodian.
- Day-to-day administration of IT systems, and implements security controls and other requirements of the University’s information security program.
- Completing annual, role-based training.
- Each system should have at least two System Administrators (one primary, one secondary).
What are my responsibilities as a Data Custodian with regard to data classification?
Protecting the data in their possession from unauthorized access, alteration, destruction, or usage.
Establishing, monitoring, and operating IT systems in a manner consistent with UAB Information Security policies and standards.
Completing annual role-based training.
What are my responsibilities as a Data Steward with regard to data classification?
- Responsible for the policy and practice decisions regarding data.
- Evaluate and classify sensitivity of the data.
- Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
- Communicate data protection requirements to the Data Custodians and/or System Administrators.
- Define requirements for approving access to the data.
- Define requirements for regular auditing and removal of access to the data.
- Complete annual role-based training.
What about my personal data?
The UAB Data Classification scheme and protection requirements only apply to UAB institutional data. Use due care when handling your own personal data.
What is an “Acceptable Use Policy,” and why does UAB need one?
Information Technology (IT) resources are intended to support the university’s instructional, research, and administrative operations. The objective of the Acceptable Use Policy (AUP) is to create a framework to ensure that IT resources are used in an appropriate manner and support the university’s mission and institutional goals. In addition to legal requirements, such as compliance with copyright law, UAB must set requirements so its university-owned IT resources function in an efficient, cost-effective manner in support of the university’s mission as well as within requirements of the Alabama Code of Ethics.
I am interested in learning more about illegal computer activities, such as those related to copyright infringement. Where can I learn more?
There are numerous sources available for copyright information. Below are just a couple:
I am a university employee. Can I use the Internet for personal use over lunch, during my break time, or during off hours?
From the Acceptable Use Policy (AUP) perspective, this is permissible to the extent that the usage complies with the AUP and other University policies. Employment restrictions could also exist that are outside the scope of the AUP.
I am a student that uses the Internet for social networking, gaming, and downloading movies and music. Are these considered acceptable use?
Yes — to the extent that the usage complies with the Acceptable Use Policy (AUP), applicable laws (e.g., copyright) and the Student Code of Conduct.
I am a faculty member with a personal business. Is use of the UAB network for my business an acceptable use of the network?
From the Acceptable Use Policy (AUP) perspective, this is not permissible without proper management authorization. Restrictions on such activities exist outside the scope of the AUP–Alabama Code of Ethics.
What is spam?
Spam is a popular term used for unsolicited email. According to Merriam-Webster's Online Dictionary, spam is defined as "unsolicited usually commercial e-mail sent to a large number of addresses."
I participate in a listserv or a large group mailing. Is this considered spam and a violation of policy?
No – not all mass broadcast messages are “spam”. If mass broadcast messages are authorized University business or mission related and comply with Acceptable Use Policy (AUP) elements, applicable laws and Code of Ethics, such messages are not a violation of policy.
Where can I go for more information about spam?
- Federal Trade Commission
- File a Complaint with the Federal Trade Commission
- CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003).
Does the university monitor my use of the UAB computing network?
Due to Federal requirements such as the Communications Assistance for Law Enforcement Act (CALEA), the Family Educational Rights and Privacy Act (FERPA), the Higher Education Opportunity Act (HEOA) and the Health InsurancePortability and Accountability Act of 1996 (HIPAA), the University employs various measures to protect the security and availability of its information resources.
Users should be aware that their uses of University computer and network resources are not private. While the University does not routinely monitor individual usage, it does monitor the normal operation and maintenance of the University's computing and networking resources including backup, logging of activity, the monitoring of general and individual usage patterns, and other such activities that are necessary for information security and the delivery of service. In addition, the University reserves the right to review, monitor and/or capture any content residing on, or transmitted over, its computers or network at its sole discretion without prior notification or approval.
What happens if my computer becomes infected with a virus?
The university is obligated to maintain the integrity of its IT resources, and therefore reserves the right to disable access when the integrity is jeopardized by an individual user’s infected system. UAB also offers assistance through Desktop Support and TechConnect to aid in clean-up and remediation of viruses.
What happens if I inadvertently violate this or other policies? For instance, if I accidentally give my password away to a phishing site?
These policies are enacted to protect the university and its constituents. Individuals need to be prepared against cyber threats and victims may receive remedial training against these attacks. Repeated violations or negligence may result in loss of access and progressive consequences appropriate to the offense.