The security of IT systems and information assets is dependent on the individuals managing as well as the individuals utilizing such resources. The University is committed to supporting the principles of academic freedom and the free exchange of ideas and the University's information security policies and programs are intended to support those principles while still maintaining an appropriate level of security.
The goals of this security program are to:
- Protect the University's IT systems and information assets from unauthorized access, alteration, disclosure or destruction.
- Ensure the reliability and availability of the University's IT systems and information assets.
- Ensure the privacy of faculty, staff and student information and that of other University customers or associates.
- Identify and prevent identity theft.
- Protect the reputation of the University and ensure compliance with federal and state laws and regulations.
- Establish resources and guidelines that allow all individuals within the University community to practice good data stewardship.
The components of this security program include:
- Policies – reviewed and approved through the Information Security Advisory Committee and the University-Wide Policy Development Process
- Standards, guidelines, and procedures which support and carry out the related Policies – reviewed and approved by the Information Security Advisory Committee
- Awareness & Communication – ensuring the policies and related standards, guidelines, and procedures are adequately shared and communicated to the University community.
The basics of this standard include:
- minimum/maximum length requirements for BlazerID passwords/passphrases
- password/passphrase expiration intervals
- restrictions on reusing the same password/passphrase for the six previous intervals
- password/passphrase complexity requirements
- system logging of failed attempts to log on
- disabling of unused accounts after a specific interval of non-use
- requirements for credential encryption while in transit
- several other recommendations
An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines page.
Questions on this standard and its implementation should be directed to AskIT at (205) 996-5555 or to the Enterprise Information Security line (205) 975-0842 or to firstname.lastname@example.org.
May 9, 2013
Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems. UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy). UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.
Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.
The information in this guidance statement applies to all constituents internal to UAB.
We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.
Unsupported legacy operating systems:
Windows XP after April 8, 2014
Mac OS X Family
Mac OS 9.x
OS X 10.5 (Leopard)
OS X 10.4 (Tiger)
OS X 10.3 (Panther)
OS X 10.2 (Jaguar)
Ubuntu 11.10 after May 9, 2013
Ubuntu 11.04 and Prior
Ubuntu 10.04.4 LTS
Debian 5.0 (lenny)
Debian 4.0 (etch)
Debian 3.1 (sarge)
Debian 3.0 (woody)
Other Unix OS
AIX prior to 6.1
Solaris prior to 9 (SunOS 5.9)
Questions can be directed to email@example.com or, by calling (205) 975-0842.
UAB Information Security recently discovered a new spam campaign where users are tricked into opening an email attachment that contains a virus aimed at stealing passwords and financial information. As with any suspicious email messages you may receive, please report them to firstname.lastname@example.org for inspection.
The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.
Here are some of the common email subject lines we have seen in this spam campaign:
• FW: Company 2013 Report
• Incoming Wire Transfer Notification
• D&B iUpdate: Company Order Requested
• Department of Treasury Notice of Outstanding Obligation – Case ######
• Better Business Bureau Complaint Case #######
• Merchant Billing Statement
• ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)Tweet
Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.
UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.
BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP. UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.
Non-Enterprise BitLocker Setup
Recommendations for using BitLocker
- Password set system BIOS
- TPM chip in the device
- You must take ownership of the TPM chip
- Before updating the BIOS, BitLocker must be suspended
- Escrow the key in some manner
- Professional/enterprise version of Windows
- Use a TPM + PIN authentication method
- System must be formatted NTFS with two volumes
Escrowing the key
With Windows 8, you may escrow the key in one of the following ways:
- Save the recovery key to a USB flash drive This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
- Save the recovery key to a file This method saves the recovery key to a network drive or other location.
- Print the recovery key This method prints the recovery key, but it is not recommended.
It will be up to the department to maintain the escrow recovery keys.
Monthly Training Newsletters
UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats. Each month a newsletter will be released focusing on new and different cyber security threats. Contact the UAB IT Information Security office for more specific training options that can increase the protection of your information systems.
August 2013 - Protecting Your Passwords
September 2013 - Encryption - Protecting Sensitive Information
October 2013 - see links below for National Cyber Security Month publications
November 2013 - Data Protection
December 2013 - Permanently Erasing Data
January 2014 - Wifi Security
Link to Week 1 Article
Link to Week 2 Article
Link to Week 3 Article
Link to Week 4 Article
- Contracts* for software, subscriptions, or services (including software maintenance) that include
- Hosting/processing/transmission of UAB data external to UAB
- PCI (Payment Card Industry) acceptance/processing of credit card transactions
- Design, creation, maintenance, support, and/or hosting of any website/webpage
- Personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
- Audit language
- Custom software development
- Agreements for products whare a similiar product or standard is already available/supported at UAB
- Hardware purchase with embedded software with any of the above
- *NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor. Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement.
- The primary goal is to minimize risk to you and UAB. New agreements are normally subject to a more detailed review than renewal agreements. IT will review the checklist (see the FORMS section below) that you submit with your agreement for a quick determination of what review may be needed.
- For new agreements:
- As necessary:
- Confidentiality and Information Security provisions are reviewed to ensure appropriate confidentiality language is present, provisions to follow UAB on-site rules are present (if applicable), and the the vendor performs background checks on their employees. For agreemnts that include HIPAA or PHI a Business Associate Agreement (BAA) will also be required. The BAA is handled by the UAB Legal and/or Privacy office and not by UAB IT.
- For agreements where the vendor is hosting/processing/or transmitting UAB information additional language is needed: appropriate vendor controls are in place to protect UAB's data and that such controls are audited appropriately; that provisions are included for the return of UAB data at the end of the agreement; and that the vendor will notify UAB in the event of any security event involving UAB data. If the vendor is processing payment transactions language supporting the PCI (payment card industry) standards are required.
- Indemnification and Liability provisions are reviewed to ensure that the vendor indemnifies UAB from any claims that their product breaches any copyright, trademark, or patents and that they will defend any such claim at their expense. In addition, most vendors limit any claims for any breach to a small dollar amount...IT adds language removing that limitation when the breach is for confidentiality or information security claims.
- Web/website development agreements are reviewed to ensure the vendor is aware of and will follow UAB branding requirements, security standards, and 508 compliance requirments.
- Audit language is reviewed and modified if needed (vendor's right to come on site at-will to audit);
- Language is added that the "Written Agreement Governs". This is to prevent a conflict when a 'click' agreement may have to be accepted by a UAB employee to actually download, run, or maintain the product.
- IT will aslo look to see if a similar service/product is already in place at UAB. If so, IT will work with the requesting department to understand and document the justification/business case for going outside the standard service/product.
- As necessary:
- For renewals:
- If the renewal inidicates it is governed by an existing agreement and that existing agreement was reviewed by IT initially, then the only IT review is to ensure no changes to any language are being requested by the vendor and that the renewal is consistent with the underlying agreement.
- If the renewal is for an agreement that was not reviewed by IT initially, then IT will need to review the underlying agreement and work with the department on what options may be available to make modifications based on the criteria above for new agreements. Modifications to existing agreements may take more time and may ultimately result in modifications not being possible...potentially increasing the risk to UAB.
- Language to cover all of the items above are is provided in the applicable IT Addendum (see the FORMS LIBRARY section). The addendum can be printed and submitted to the vendor for signagure prior to routing that agreement for signature at UAB. This will greatly speed up the review process in IT.
- For new agreements:
- Complete the IT Checklist and attach it to your contract when routing (see the FORMS LIBRARY section);
- If any of the items 'checked' on the list indicate an IT addendum is needed, go ahead and send the addendum to the vendor for signature prior to routing for UAB review/signature (see the FORMS LIBRARY section).
- UAB Contracts/Procurement also require a generic addendum be added in most cases. If you send the vendor an IT addendum, also include the UAB addendum. (See the FORMS LIBRARY section).
- Provide any backup information such as master agreements, statements of work, etc.
- Submit agreements that are 'execuatable'...they have signature lines for both parties and are not simply printed off of a web site.
- Don't base fees/costs on FTE numbers as these numbers can change each year;
- No annual escalators;
- Include vendor service level expectations with remedies if they are not met/maintained;
- Include 'piggyback clauses' where the agreement can be used by other institutions in the UA System;
- If the vendor holds/processes any UAB data, make sure the agreement contains a data exit clause that ensures UAB data is returned at no cost to UAB and in a timely manner;
- For agreements with professional services:
- clearly define responsibilities and expectations of each party
- limit travel costs for any on-site work to actual costs and to no more than 15% of the actual professional services you pay
- include language indicating the vendor will follow UAB on-site rules if working on UAB property (see the FORMS LIBRARY SECTION)
- include language indicating the vendor must be aware of and follow UAB's Acceptable Use of Computer policy (see the FORMS LIBRARY SECTION) when connecting devices to the UAB network
- Don't agree to pay for services/products up front. Base payment on milestones or completion and UAB written acceptance;
- In most cases agreements should renew annually upon mutual agreement and with issuance of a UAB PO. Agreements should not renew automatically or where you are required to notify the vendor xx days prior to the renewal date.
- For contracts that IT intiates a standard agreement review template is used to evaluate risk. You can download a copy of that template here for your own use.
- IT Routing Checklist - should be completed and attached to the routing packet. This checklist should help you determine which (if any) IT Addendum may be required.
- The UAB Information Technology Addendums cover additional confidentiality, information security, and liability language to mitigate any issues related to the items/concerns above. Portions of the IT Addendum may be applicable to only certain agreements and that applicability is detailed in the various sections of the addendum. Any changes to the IT addendum must be reviewed and approved by UAB IT.
- UAB IT Basic Addendum (Basic with no hosting of data or web development/hosting)
- UAB IT Hosting Addendum (includes additional language when UAB data is being hosted/transmitted/processed by a 3rd party)
- UAB IT Web Addendum (includes additional langage for web site branding, technical requirements and 508 compliance)
- UAB IT Full Addendum (includes both hosting and web language)
- UAB Acceptable Use of Computer Resources policy
- Business Justification/Exception Form - COMING SOON (for use when you are reqesting an exception to purchase a non-standard or similar product/service)
- General UAB Addendum (found on the Financial Affairs contract website) - covers information related to State, University, and Legal issues/clarifications. Any changes to the UAB addendum must be approved by University Contracts.
- Business Associate Agreement (BAA) ( found on the UAB HIPAA website) - For agreements that include HIPAA (health related information).
UAB & National Cybersecurity Awareness Month 2012