The new UAB IT connects to AskIT, TechConnect and the IT News feed to give you quick access to technical help, tech purchases and IT news.
The new UAB mobile app gives students, employees and guests access to the campus map and directory, as well as integrations for Canvas and BlazerNET. You can also find out what’s happening on campus, hours for the Hill Student Center, menus for campus dining and more.
The Data Classification Requirement is a standard effort to identify and classify UAB’s data as restricted/PHI, sensitive or public.
There are three classes of data as defined in the standard:
- Public Data is available to the general public and if disclosed will not cause harm to UAB.
- Sensitive data is not readily accessible or available to the general public and may require authentication for access.
- Restricted/PHI data is only available to authorized users with permission of the Data Owner for a specific purpose. Usually regulated by law or contractual obligation.
There are three primary reasons to classify data:
- Security - It is much more difficult to secure data when you don’t know the appropriate level of security to apply. In efforts to secure the assets of UAB, the data classification will go a long way to simplify this effort.
- Simplicity – There are a myriad of compliance requirements, rules and laws that apply to various types of data. Data Classification allows us to simplify protection requirements and reduce complexity of security rules.
- Cost - Knowing what types of data we have helps to know how they are protected. This allows UAB to avoid applying overly constrictive security controls to data that doesn’t need it.
UAB data users are responsible for following use and handling policies for the UAB data and UAB systems as well as applicable rules and laws. Data users should not store or process sensitive data on their desktop or laptop computers without approval and appropriate security safeguards in place. Report breaches to the information security office and complete annual security awareness training.
UAB data stewards are responsible for the policy and practice decisions regarding their data and for classifying the sensitivity of your data. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. Communicate data protection requirements to the Data Custodians and/or System Administrators and define requirements for access to the data. Data owners are also to complete annual role-based training.
In most cases, Yes. UAB must have a contract with the cloud provider to ensure the data is protected appropriately. Personal services do not provide the appropriate level of protection for Institutional data. Do not store sensitive information on cloud storage services that UAB does not have an institutional-level contract approved for storing sensitive or restricted data.
- Public – UAB Box or UAB Microsoft OneDrive
- Sensitive – UAB Box
- Restricted - UAB Box – Subject to any applicable laws. PHI and credit card information is prohibited.
The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration effect the classification of research data. As such, certain unpublished research data may be classified as private or sensitive until such time the research is published. Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data. Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
First you must request that an exception be granted to allow Restricted data must be encrypted if stored on a mobile or remote device.
- Reading and complying with UAB IT policies.
- Reporting breaches of IT security, actual or suspected, to the Information Security Office.
- Taking reasonable and prudent steps to protect the security of IT systems and data to which they have access.
- Complete annual IT Security Awareness Training
- Implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian.
- Day-to-day administration of IT systems, and implements security controls and other requirements of the University’s information security program.
- Completing annual, role-based training.
- Each system should have at least two System Administrators (one primary, one secondary).
Protecting the data in their possession from unauthorized access, alteration, destruction, or usage.
Establishing, monitoring, and operating IT systems in a manner consistent with Radford University Information Security policies and standards.
Providing Data Owners with reports, when necessary and applicable.
Completing annual role-based training.
- Responsible for the policy and practice decisions regarding data.
- Evaluate and classify sensitivity of the data.
- Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
- Communicate data protection requirements to the Data Custodians and/or System Administrators.
- Define requirements for approving access to the data.
- Define requirements for regular auditing and removal of access to the data.
- Complete annual role-based training.
The UAB Data Classification scheme and protection requirements only apply to UAB institutional data. Use due care when handling your own personal data.
Personally Identifiable Education Records-Covered under FERPA
Personally Identifiable Education Records are defined as any education records that contain one or more of the following personal identifiers:
• Student Number
• Grades, GPA, Credits Enrolled
• A list of personal characteristics or any other information that would make the student’s identity easily traceable
Personally Identifiable Financial Information (PIFI) - Covered under GLBA
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
• Social security number
• Government issued driver’s license number
• Date of Birth
• Financial account number in combination with a security code, access code or password that would permit access to the account
Payment Card Information- Covered under PCI DSS
Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
• Cardholder name
• Service code
• Expiration date
• CVC2, CVV2 or CID value
• PIN or PIN block
• Contents of a credit card’s magnetic stripe
Protected Health Information (PHI) - Covered under HIPAA
PHI is defined as any “individually identifiable” information that is stored by a Covered Entity, and related to one or more of the following:
• Past, present or future physical or mental health condition of an individual.
• Provision of health care to an individual.
• Past, present or future payment for the provision of health care to an individual.
PHI is considered “individually identifiable” if it contains one or more of the following identifiers:
• Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
• All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)
• Telephone/Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate number
• Device identifiers and serial numbers
• Universal Resource Locators (URLs)
• Internet protocol (IP) addresses
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number or characteristic that could identify an individual
If the health information does not contain one of the above referenced identifiers and there is no reasonable basis to believe that the information can be used to identify an individual, it is not considered “individually identifiable” and; as a result, would not be considered PHI.
Note: Any information classified differently per regulation or policy will be protected at the highest classification level. For example, social security number as part of a student’s record. The social security number is not classified as Private Data under FERPA. It is classified as Sensitive Data as Personally Identifiable Information (PII) and under GLBA.
Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification.
It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data.
Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
December 19, 2016
Related Policies, Procedures, and Resources
The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security.
2.0 Objective / Purpose
All UAB data stored, processed, or transmitted must be classified in accordance with this requirement. Based on classification; users are required to implement appropriate security controls.
3.0 Data Classification Requirements
To classify data in terms of its need for protection, use section 3.1 of this standard. To classify data in terms of its availability needs, use section 3.2 of this standard.
3.1 Classifying Data According to Confidentiality and Integrity Needs
|Public Data: Data that may be disclosed to the general public without harm.
|Examples: public phone directory, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters, etc.
|Sensitive Data: Data that should be kept confidential. Access to these data shall require authorization and legitimate need-to-know. Privacy may be required by Law or Contract.
|Examples: FERPA, budgetary plans, internal communications, proprietary business plans, patent pending information, export controls information and data protected by law.
|Restricted/PHI Data: Sensitive Data that is highly-confidential in nature, and carries significant risk from unauthorized access. Privacy and Security controls are typically required by Law or Contract.
|Examples: Social Security Numbers, credit card numbers (PCI), personally identifiable information, protected health information, GLBA data, Export Controlled data, FISMA regulated data, log-in credentials, and information protected by non-disclosure agreements.
|Note regarding Classification of Research Data: The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Click here for more information.
3.2 Classifying Data According to Availability Needs
Different types of data have varying levels of importance with regard to availability or reliability of access and use. The following categories may be useful in determining availability needs:
|Supportive Data - Supportive data is useful in day-to-day operations, but is not critical to UAB’s mission or core functions.
|Examples: course materials, meeting minutes, workstation images, etc.
|High-priority Data - Availability of data is necessary for departmental function. Destruction or temporary loss of data may have an adverse effect on business unit, college or departmental mission, but would not affect organization-wide function.
|Examples: some financial data, HR data, etc.
|Critical Data - Critical data has the highest need for availability. If the information is not available due to system downtime, modification, destruction, etc., the University's functions and mission would be impacted. Availability of this information must be rigorously protected.|
|Characteristics of Critical Data
Mission Risk: Short-term or prolonged loss of availability could prevent UAB from accomplishing its core functions or mission.
Health and Safety Risk: Loss of availability may create health or safety risk for individuals. (e.g. emergency notification data, PHI, etc.).
Compliance Risk: Availability is mandated by law (HIPAA, GLBA) or by contract.
Reputation Risk: Loss of data will cause significant damage to UAB’s reputation.
|Examples: Emergency notification/contact data, Health care data, Student records.
4.0 Responsibilities for Protecting Institutional Data
All with access to UAB data are required to protect these data appropriately. There are different mandatory minimum requirements for University and Health System data.
Minimum security requirements for University Data may be found at Protection Requirements Based on Classification.
Minimum security requirements for Health System data may be found at UAB HIPAA Policies.
4.1 Specific Roles and Responsibilities for Protecting Institutional Data
Data Stewards have administrative control and are officially accountable for a specific information asset. Data Stewards are:
- responsible for assigning an appropriate classification to the information;
- accountable for who has access to information assets; and
- ensuring compliance with policies and regulatory requirements related to the information.
Examples: VP of Financial Affairs & Administration - financial and HR data; VP of Research & Economic Development - research administration data; Deans and Department Chairs and data from their respective academic area; Hospital Managers or Directors/VPs and data from their respective hospital/clinical area.
Data Custodians safeguard the data on behalf of the Data Steward.
UAB’s central Information Technology (IT) units shall be responsible for protecting all Institutional Data maintained/stored in the institutional information systems.
UAB Health Services Information Services (HSIS) shall be responsible for protecting all Health System Data maintained/stored in the institutional information systems.
UAB Information Security
Members of the UAB and UABHS Information Security teams are responsible for developing and implementing an information security program as well as the supporting data security and protection policies, standards and procedures.
Departmental Security Administrators (DSA)
Each unit or department senior manager will designate at least one DSA who will act as a liaison to the UAB information Security Team. DSAs oversee information security responsibilities for the departments, including assisting with security awareness and security incident response.
For UAB covered entities, UAB Health System has established the Entity Security Coordinator who will act as a liaison to the UABHS Information Security Team and the Entity Privacy Coordinator who will act as a liaison to the UABHS Privacy Officer.
System Administrators are individuals within the central IT/HSIS or school/department units with day-to-day responsibility for maintaining information systems. They are responsible for following all data security protection procedures and practices.
Data Users are individuals authorized to access UAB data and are responsible for protecting the information assets on a daily basis through adherence to UAB policies.
Each University / University Health System department or unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance.
The UAB VP of Information Technology Office and UABHS CIO of Information Systems are responsible for enforcing this data classification requirement.
Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, complete the Information Security Exception Request Form.
UAB has adopted the customary Information Security Terms definitions within the NISTIR 7298 Revision 2 Glossary of Key Information Security Terms.
UAB Health System has adopted the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.